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Abstract 

This monograph presents the Timed Input/Output Automaton (TIOA) modeling 
framework, a basic mathematical framework to support description and analysis of 
timed (computing) systems. Timed systems are systems in which desirable correctness 
or performance properties of the system depend on the timing of events, not just 
on the order of their occurrence. Timed systems are employed in a wide range of 
domains including communications, embedded systems, real-time operating systems, 
and automated control. Many applications involving timed systems have strong safety, 
reliability and predictability requirements, which makes it important to have methods 
for systematic design of systems and rigorous analysis of timing-dependent behavior. 

An important feature of the TIOA framework is its support for decomposing timed 
system descriptions. In particular, the framework includes a notion of external be¬ 
havior for a timed I/O automaton, which captures its discrete interactions with its 
environment. The framework also defines what it means for one TIOA to implement 
another, based on an inclusion relationship between their external behavior sets, and 
defines notions of simulations, which provide sufficient conditions for demonstrating 
implementation relationships. The framework includes a composition operation for 
TIOAs, which respects external behavior, and a notion of receptiveness, which implies 
that a TIOA does not block the passage of time. 

Keywords: Timed computing systems, formal modeling and verification, I/O au¬ 
tomata. 
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Notations 
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action 
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Introduction 


1.1 Overview 

Timed computing systems are systems in which desirable correctness or performance prop¬ 
erties of the system depend on the timing of events, not just on the order of their occur¬ 
rence. A typical timed system consists of computer components, which operate in discrete 
steps, and timing-related components such as physical or logical clocks, whose behavior in¬ 
volve continuous transformation over time. Timed systems are employed in a wide range 
of domains including communications, embedded systems, real-time operating systems, 
and automated control. Many applications involving timed systems have strong safety, 
reliability and predictability requirements, which makes it important to have methods for 
systematic design of systems and rigorous analysis of timing-dependent behavior. 

Modeling plays a key role in all stages in the design and analysis of systems. Models 
represent system designs at a level of abstraction that is suitable for isolating and focusing 
on their most crucial aspects. They can be modified and experimented with more easily 
than real implementations. Moreover, if the modeling is performed using the concepts 
provided by a formal framework, the modeling can be done more precisely, and analysis 
and verification methods supported by that framework can be applied. Timed systems, 
which combine discrete steps with continuous evolution of state over time, exhibit complex 
behaviors that are typically hard to describe and analyze in the absence of a carefully- 
developed modeling framework [1, 2, 3]. 

A modeling framework must support designing systems in structured ways, viewing 
them at multiple levels of abstraction and as compositions of interacting components. If 
a framework is to provide flexibility and generality, it must also support nondeterminism. 
A system designer might wish to allow several potential behaviors at certain points in 
the computation of a system, for example, to avoid making assumptions about how the 
environment will behave, or to allow several correct implementations for the same design. 
Such liberty in specification would not be possible to accommodate without nondeter¬ 
minism. In addition to supporting all of these features, modeling frameworks for timed 
systems must provide mechanisms for representing continuously evolving components such 
as clocks and timers. 

An interesting complication that arises in modeling timed systems is that time can 
progress in ways that conflict with our intuition about physical time. For example, we may 
force time to stop entirely to “urge” some discrete action to happen, or schedule infinitely 
many discrete actions to happen in a finite amount of time. A framework needs to provide 
concepts that identify the conditions under which a timed system behaves according to 
our intuitions, that is, the conditions under which time diverges as the system continues 
to run. 

In this work, we introduce a basic mathematical framework - the Timed Input/Output 
Automaton modeling framework - to support description and analysis of timed systems. 



In this framework, a system is represented as a Timed I/O Automaton (TIOA), which is 
a kind of nondeterministic, possibly infinite-state, state machine. The state of a TIOA is 
described by a valuation of state variables that are internal to the automaton. The state of 
a TIOA can change in two ways: instantaneously by the occurrence of a discrete transition, 
which is labeled by a discrete action, or according a trajectory, which is a function that 
describes the evolution of the state variables over intervals of time. Trajectories may be 
continuous or discontinuous functions. 

The TIOA framework supports decomposition of system description and analysis. A 
key to this decomposition is the rigorously-defined notion of external behavior for timed 
I/O automata. The external behavior of each TIOA is defined by a simple mathematical 
object called a trace-essentially, a sequence of actions interspersed with time-passage steps. 
Abstraction and parallel composition are other important notions for decomposition of 
system description and analysis. 

For abstraction, the framework includes notions of implementation and simulation, 
which can be used to view timed systems at multiple levels of abstraction, starting from a 
high-level version that describes required properties, and ending with a low-level version 
that describes a detailed design or implementation. In particular, the TIOA framework 
defines what it means for one TIOA, A, to implement another TIOA, B, namely, any 
trace that can be exhibited by A is also allowed by B. In this case, A might be more 
deterministic than B, in terms of either discrete transitions or trajectories. For instance, 
B might be allowed to perform an output action at an arbitrary time before noon, whereas 
A produces the same output sometime between 10 and 11 AM. The notion of a simulation 
relation from A to B provides a sufficient condition for demonstrating that A implements 
B. A simulation relation is defined to satisfy three conditions, one relating start states, 
one relating discrete transitions, and one relating trajectories of A and B. 

For parallel composition, the framework provides a composition operation, by which 
TIOAs modeling individual timed system components can be combined to produce a model 
for a larger timed system. The model for the composed system can describe interactions 
among the components, which involves joint participation in discrete transitions. Com¬ 
position requires certain “compatibility” conditions, namely, that each output action be 
controlled by at most one automaton, and that internal actions of one automaton cannot 
be shared by any other automaton. The composition operation respects traces, for exam¬ 
ple, if A\ implements A 2 then the composition of A\ and B implements the composition 
of A 2 and B. Composition also satisfies projection and pasting results, which are funda¬ 
mental for compositional design and verification of systems: a trace of a composition of 
TIOAs “projects” to give traces of the individual TIOAs, and traces of components are 
“pastable” to give behaviors of the composition. 

If a TIOA approaches a finite point in time without quite reaching it, or by scheduling 
infinitely many discrete actions to happen in a finite amount of time, it is said to exhibit 
Zeno behavior, in reference to Zeno’s paradox [4], The TIOA framework includes a notion 
of receptiveness, which is used to classify automata that do not contribute to producing 
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behavior, and which is preserved by composition. Receptiveness of a TIOA, A, in the 
TIOA framework is defined in terms of the existence of a strategy, which is defined as a 
subautomaton of A that chooses some of the evolutions from each state of A. 

The TIOA framework presented in this work is purely mathematical. However, it 
constitutes a natural basis for computer support tools, which are currently under devel¬ 
opment [5]. 

1.2 Evolution of the TIOA framework 

The TIOA modeling framework presented in this work has evolved from the Hybrid In¬ 
put/Output Automaton (HIOA) modeling framework for hybrid systems [6] by Lynch, 
Segala and Vaandrager. Our approach is based on the assumption that a timed system 
can be viewed as a special kind of a hybrid system where the continuous transformation 
is limited to internal system components that determine the timing of events. Therefore, 
we define a TIOA as a restricted HIOA where the only essential difference between an 
HIOA and a TIOA is that an HIOA may have external variables to model the continuous 
information flowing into and out of the system, in addition to state variables. A major 
consequence of this definition is that the communication between TIOAs is restricted to 
shared-action communication only. The TIOA model does not impose any further restric¬ 
tions on the expressive power of the HIOA model. 

We have undertaken the project of developing this new modeling framework even 
though there are several timed automaton models that extend the basic I/O automaton 
model [7, 8, 9, 10], because we have observed that the new HIOA modeling framework 
offered a way of improving and simplifying previous work on timed I/O automaton mod¬ 
els [8, 9, 10]. For example, the use of trajectories as first-class objects to represent the 
external behavior of a timed automaton, the definition of a strategy as an automaton 
rather than a two-player game, and the variable structure on states are all new features 
that were motivated by what we learned in developing the HIOA framework and that gave 
rise to more elegant definitions and simpler proofs for timed automata. 

We intend the TIOA model to serve as a general semantic framework in which previous 
results for timed I/O automata [9, 7, 8, 10] and other related models [11, 12, 13, 14] can 
be re-cast in a style that is upwardly compatible with the new HIOA model. Limiting 
the communication to discrete interactions is an apt choice since the previous timed I/O 
automaton models also adopt this type of communication. On the other hand, by avoid¬ 
ing any further restrictions on the general hybrid model, we obtain an expressive model 
suitable for specifying complex timing behavior. For example, our model does not require 
variables to be either discrete or to evolve at the same rate as real-time as in some other 
models [11, 13]. Consequently, algorithms such as clock synchronization algorithms that 
use local clocks evolving at different and varying rates can be formalized naturally in our 
framework. 
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The fact that HIOAs subsume TIOAs as a special class does not eliminate the need 
for having a separate modeling framework for timed systems. First, having no external 
variables in the TIOA model gives rise to considerable simplifications in the theory. For 
example, proving that the composition of two timed automata is a well-defined automaton 
becomes simpler in the absence of external variables; no extra compatibility conditions as 
in the general HIOA framework are needed to obtain the desirable composition theorems 
for TIOAs. 

Second, we believe that focusing on the TIOA model presented in this paper is com¬ 
patible with our longer-term goal of developing a unified I/O automaton model that can 
address timing-dependent, probabilistic and general hybrid behavior in a common frame¬ 
work. We are planning to start out with a probabilistic model with discrete interactions 
only, and then extend the model to handle timing-dependent behavior, and only at later 
stages consider continuous interactions. It would be harder to integrate probabilistic mech¬ 
anisms into the full hybrid model than it would be to integrate them into the TIOA model 
presented here. 

1.3 Related work 

There are several formalisms and tools for timed systems that are based on automata and 
state transition models. In this section, we briefly introduce those lines of work that we 
think are most closely related to ours. Note that we do not focus on the toolsets and their 
capabilities, but rather on the underlying formal models and languages. 

One of the widely-used formal frameworks for timed systems is that of Alur-Dill timed 
automata [11, 15]. An Alur-Dill automaton is a finite directed multigraph augmented 
with a finite set of clock variables. The semantics of such a timed automaton are defined 
as a state transition system in which each state consists of a location and a clock valu¬ 
ation. Clocks are assumed to change with the same rate as real-time, that is with rate 
1. Timed automata accept timed languages consisting of sequences of events tagged with 
their occurrence times. Decision problems such as universality and language inclusion are 
undecidable for timed automata. Recently, a version of timed automata called perturbed 
automata has been presented [16]. The clocks in perturbed timed automata can change at 
a rate within the interval [1 - e, 1 + e], where e is a given perturbation error. It has been 
shown that the language inclusion problem is decidable for systems modeled as products 
of perturbed automata each of which has a single clock. 

The aim of facilitating automated verification seems to have motivated the restrictions 
on the expressive power of the model. The timed automaton model presented in this 
work is more expressive than the model of Alur-Dill automata. In our model, there are 
no finiteness assumptions and no restrictions imposed on the dynamic types of variables. 
Alur-Dill timed automata have been extensively studied with a formal language theoretic- 
view [17]. Our focus, on the other hand, has been to develop a general formal framework 
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with a well-defined notion of external behavior, parallel composition and abstraction that 
supports reasoning with simulation relations. 

Uppaal [13, 18] is a widely-used modeling and verification tool for timed systems. It 
supports the description of systems as a network of Alur-Dill timed automata and enhances 
that model with CCS-style communication [19] along with other notions such as commit¬ 
ted and urgent locations. Uppaal also supports (synchronous) broadcast communication 
and communication via shared variables. Uppaal has a sophisticated model-checker that 
explores the whole state space of the modeled system to verify timing properties. There¬ 
fore, finiteness assumptions are built into the model to make such verification possible 
and the operations on clocks are restricted. Uppaal can be used as a model-checker for 
restricted TIOAs. We have done some preliminary work in this direction [20]. 

It would be interesting to work on formal semantics for Uppaal based on some variation 
of our restricted hybrid I/O automaton model. There are several small mismatches due 
to the style of communication and notions such as committed locations. It remains to be 
seen to what extent we can use the communication mechanisms of our automata to model 
these formally. We could, for example, allow a non-empty set of external variables with 
restricted dynamic types and seek restrictions on the use of shared variables in Uppaal, 
which would allow us to view these variables as external variables in the HIOA sense. 

Kronos [21, 22] is another verification tool for timed systems that uses Alur-Dill au¬ 
tomata. This tool requires systems to be represented as timed automata and the cor¬ 
rectness conditions to be expressed in the real-time temporal logic TCTL [23]. Kronos, 
as Uppaal, can perform model-checking using a symbolic representation of the infinite 
state space by sets of linear constraints. Kronos can model-check full TCTL and imple¬ 
ments the symbolic algorithm developed by [24], It would be possible to use Kronos as a 
model-checker for restricted TIOAs. 

The IF notation, which is the intermediate representation used in the IF toolset [25], 
is based on Alur-Dill automata extended with discrete data variables, communication 
primitives, dynamic process creation and destruction. This notation has been designed 
such that it can serve as a target for the translation of higher-level modeling languages, 
such as real-time extensions of SDL and UML. The support for dynamic process creation 
and destruction appears to be a distinguishing feature of the IF notation. 

A slight generalization of Alur-Dill timed automata are the linear hybrid automata 
of [26]. In this model, apart from clocks that progress with rate 1, one can also use 
continuous variables whose derivatives are contained in some arbitrary interval. A well- 
known model checking tool for linear hybrid automata is HyTech [27], which uses symbolic 
manipulation techniques as in Uppaal and Kronos. The input language of HyTech can be 
translated into our TIOA model, to apply TIOA verification methods. Likewise, TIOAs 
whose continuous variables conform to the linearity conditions of HyTech could be verified 
using model-checking capabilities of HyTech. 

The timed I/O automaton modeling framework presented in this paper can be used 
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to express models that use lower and upper time bounds on tasks or actions [7, 12]. 
Our framework includes an operation for adding time bounds on a subset of the actions 
of a timed automaton. As a result of this operation, lower bounds are transformed to 
appropriate preconditions for transitions and upper bounds are transformed to stopping 
conditions for trajectories. 

An interesting timed automaton model called “Clock GTA ” has been introduced 
in [14]. The model was used for describing algorithms that behave in accordance with 
their timing constraints in certain intervals but may exhibit timing failures for some other 
intervals. The possibility of expressing such an ability turns out to be crucial for perfor¬ 
mance and fault-tolerance analysis for practical algorithms [14, 28]. We are interested in 
finding a systematic way of describing such behavior with our new timed I/O automaton 
model. 


1.4 Organization of the Book 

The rest of this book is organized as follows. Chapter 2 contains mathematical prelim¬ 
inaries. Chapter 3 defines notions that are useful for describing the behavior of timed 
systems, most importantly, trajectories and timed sequences. Chapter 4 defines timed 
automata (TAs), which contain all of the structure of TIOAs except for the classification 
of external actions as inputs or outputs. It also defines external behavior for TAs and im¬ 
plementation and simulation relationships between TAs. Chapter 5 presents composition 
and hiding operations for TAs, along with operations for adding bounds that relate TAs 
to other timed automaton models. Chapter 6 defines timed I/O automata (TIOAs) by 
adding an input/output classification to TAs, and extends the theory of TAs to TIOAs. 
It also defines special kinds of TIOAs such as progressive and receptive TIOAs. Chapter 7 
presents compositionality results for TIOAs in general, and for the special classes of pro¬ 
gressive and receptive TIOAs. Finally, Chapter 8 presents some conclusions and discusses 
future work. Examples are included throughout. 
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2 Mathematical Preliminaries 


In this chapter, we give basic mathematical definitions and notation that will be used 
as a foundation for our definitions of timed automata and timed I/O automata. These 
definitions involve functions, sequences, partial orders, and untimed automata. 

2.1 Functions and Relations 

If / is a function, then we denote the domain and range of / by dom(f) and range(J), 
respectively. If S is a set, then we write / [ S for the restriction of / to S, that is, the 
function g with dom(g) = dom(f) 0 S such that g(c) = /(c) for each c £ dom(g). 

We say that two functions / and g are compatible if / [ dom(g) = g \ dom(f). If 
/ and g are compatible functions then we write / U g for the unique function h with 
dom(h ) = dom(f) U dom(g) satisfying the condition: for each c £ dom(h), if c £ dom(f) 
then h{c ) = /(c) and if c £ dom(g) then h(c ) = g(c). More generally, if F is a set of 
pairwise compatible functions then we write (J F for the unique function h with dom(h ) = 
U {dom(f) | / £ F} satisfying the condition: for each / £ F and c £ dom(f), h(c ) = /(c). 

If / is a function whose range is a set of functions and S is a set, then we write / j S 
for the function g with dom(g) = dom(f) such that g(c) = f(c) \ S for each c £ dom(g). 
The restriction operation j is extended to sets of functions by pointwise extension. Also, 
if / is a function whose range is a set of functions, all of which have a particular element d 
in their domain, then we write fid for the function g with dom(g) = dom(f) such that 
g(c) = f(c)(d) for each c £ dom(g). 

We say that two functions / and g whose ranges are sets of functions are pointwise 
compatible if for each c £ dom(f) fl dom(g), /(c) and g(c) are compatible. If / and g have 
the same domain and are pointwise compatible, then we denote by / U g the function h 
with dom(h) = dom(f) such that h(c) = /(c) U g(c) for each c. 

A relation over sets X and Y is defined to be any subset of Ixf. If R is a relation, 
then we denote the domain and range of R by dom(R) and range(R), respectively. A 
relation over X and Y is total over X if dom(R) = X. If R is a relation over X and Y, 
and x £ X, we define R(x) = {y £ Y \ (x,y) £ R}. We say that a relation R over X and 
Y is image-finite if for each x £ X, R,(x) is finite. 

2.2 Sequences 

Let S be any set. A sequence a over S' is a function from a downward-closed subset of Z >0 
to S. Thus, the domain of a sequence is either the set of all positive integers, or is of the 
form {1,..., k} for some k. In the first case we say that the sequence is infinite, and in 
the second case finite. We use |cr| to denote the cardinality of dom(a). The sets of finite 
and infinite sequences over S are denoted by S* and respectively. Concatenation of 
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a finite sequence p with a finite or infinite sequence a is denoted by p a. The empty 
sequence, that is, the sequence with the empty domain is denoted by A. The sequence 
containing one element c G S' is abbreviated as c. We say that a sequence a is a prefix of a 
sequence p, denoted by cr < p, if a = p [ dom(cr). Thus, a < p if either a = p, or a is finite 
and p = cr a' for some sequence a'. If a is a nonempty sequence then head (a) denotes 
the first element of a and tail (a) denotes a with its first element removed. Moreover, 
if a is finite, then last(cr) denotes the last element of cr and init(a) denotes cr with its 
last element removed. Let a and cr' be sequences over S. Then a' is a subsequence of a 
provided that there exists a monotone increasing function / : dom(cr') —> dom(cr) such 
that cr'(i) = a(f(i)) and f(i + 1) = f(i ) + 1 for all i € dom(cr'). If 1 < j\ < j 2 < |crj, 
then we define a(j\ ... , 72 ) to be the subsequence of cr obtained by extracting the elements 
in positions j 1 ,..., J 2 ; that is, a' is the subsequence obtained from function / of length 
j -2 — j 1 + 1 , where f(i) = i + j 1 — 1 for all i € dom(cr'). 

2.3 Partial Orders 

We recall some basic definitions and results regarding partial orders, and in particular, 
complete partial orders (epos) from [29, 30]. A partial order is a set S together with a 
binary relation C that is reflexive, antisymmetric, and transitive. In the sequel, we usually 
denote posets by the set S without explicit mention to the binary relation C. 

A subset P C S is bounded (above) if there is a c G S' such that rfCc for each d G P; 
in this case, c is an upper bound for P. A least upper bound (lub) for a subset P C S is an 
upper bound c for P such that c < d for every upper bound d for P. If P has a lub, then 
it is necessarily unique, and we denote it by |_| P. A subset P C S is directed if every finite 
subset Q of P has an upper bound in P. A poset S is complete, and hence is a complete 
partial order (epo) if every directed subset P of S has a lub in S. 

We say that P’ C S dominates PCS, denoted by P C P 1 , if for every cGP there 
is some c r G P' such that c C c'. We use the following two simple lemmas, adapted from 
[30] [Lemmas 3.1.1 and 3.1.2], 

Lemma 2.1 If P,P' are directed subsets of a epo S and P C P' then UPEUP'. 

Lemma 2.2 Let P = {cij \ i€l,j(=.J} be a doubly indexed subset of a epo S. Let Pi 
denote the set {cij j G J} for each i G I. Suppose 

1. P is directed, 

2. each Pi is directed with lub Ci, and 

3. the set {ci \ i G 1} is directed. 

Then UP = U{cj | i G I}. 
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A finite or infinite sequence of elements, co c\ C 2 ..of a partially ordered set (S', C) 
is called a chain if c* C Cj+i for each non-final index i. We define the limit of the chain, 
linij^oo Cj, to be the lub of the set {co, ci, C 2 ,...} if S contains such a bound; otherwise, 
the limit is undefined. Since a chain is a special case of a directed set, each chain of a cpo 
has a limit. 

A function / : S —> S' between posets S and S' is monotone if /(c) C f(d) whenever 
cCi If / is monotone and P is a directed set, then the set f(P) = {/(c) | c € P} is 

directed as well. If / is monotone and /((_| P) = |J/(P) for every directed P, then / is 

said to be continuous. 

An element c of a cpo S is compact if, for every directed set P such that c E UP, 
there is some d € P such that cCd. We define K(S') to be the set of compact elements 
of S. A cpo S is algebraic if every c G S is the lub of the set {d € K(S) | d C c}. 
A simple example of an algebraic cpo is the set of finite or infinite sequences over some 
given domain, equipped with the prefix ordering. Here the compact elements are the finite 
sequences. 

2.4 A Basic Graph Lemma 

We require the following lemma, a slight generalization of Konig’s Lemma [31]. If G is a 
directed graph, then a root of G is defined to be a node with no incoming edges. 

Lemma 2.3 Let G be an infinite directed graph that satisfies the following properties. 

1. G has finitely many roots. 

2. Each node of G has finite outdegree. 

3. Each node of G is reachable from some root of G. 

Then, there is an infinite path in G starting from some root. 

Proof: An extension of the usual proof of Konig’s Lemma [31]. □ 
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3 Describing Timed System Behavior 


In this chapter, we give basic definitions that are useful for describing discrete and con¬ 
tinuous changes to the system’s state. The key notions are static and dynamic types for 
variables, trajectories , and hybrid sequences. Most of the material in this chapter comes 
from the paper on the HIOA modeling framework [6]. The reader is referred to [6] for the 
proofs that are not included here. 


3.1 Time 

Throughout this paper, we fix a time axis T, which is a subgroup of (R,+), the real 
numbers with addition. We assume that every infinite, monotone, bounded sequence of 
elements of T has a limit in T. The reader may find it convenient to think of T as the set 
R of real numbers, but the set Z of integers and the singleton set {0} are also examples of 
allowed time axes. We define T-° = {t € T | t > 0}. 

An interval J is a nonempty, convex subset of T. We denote intervals as usual: [f i, £ 2 ] = 
{t £ T j t\ < t < £ 2 }, [£ 1 ,^ 2 ) = {t G T | ti < t < t- 2 }, etc. An interval J is left- 
closed ( right-closed ) if it has a minimum (resp., maximum) element, and left-open ( right- 
open) otherwise. It is closed if it is both left-closed and right-closed. We write min(J) 
and max(J) for the minimum and maximum elements, respectively, of an interval J (if 
they exist), and inf(J) and sup(J) for the infimum and supremum, respectively, of J in 
R U {— 00 , 00 }. For K C T and f 6 T, we define K + t = {t 1 + t \ t' € I\}. Similarly, 
for a function / with domain K, we define f + t to be the function with domain K + t 
satisfying, for each t' £ K + t, (/ + t) (t r ) = f(t' — t). 

In some definitions and theorems in the paper where we use R as the time domain we 
assume that the relation < on R extends to a relation on R U { 00 } such that 00 < 00 and 
for all f £ R, f < 00 . 


3.2 Static and Dynamic Types 

We assume a universal set V of variables. A variable represents a location within the state 
of a system. For each variable v, we assume both a (static) type, which gives the set of 
values it may take on, and a dynamic type, which gives the set of trajectories it may follow. 
Formally, for each variable v we assume the following: 

• type(y ), the (static) type of v. This is a nonempty set of values. 

• dtype(v), the dynamic type of v. This is a set of functions from left-closed intervals 
of T to type{v ) that satisfies the following properties: 
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1. (Closure under time shift) 

For each / £ dtype(v) and t € T, / + t £ dtype[y). 

2. (Closure under subinterval) 

For each / £ dtype(v) and each left-closed interval J C dom(f), f \ J £ 
dtype(v). 

3. (Closure under pasting) 

Let /o /i / 2 ,... be a sequence of functions in dtype(v ) such that, for each nonfi¬ 
nal index z, dom(fi) is right-closed and ma x(dom(fi)) = min(dom(/j+i)). Then 
the function / defined by /(t) = /*(t), where z is the smallest index such that 
t £ dom(fi), is in dtype(v). 


Example 3.1 (Discrete variables). Let v be any variable and let Constant be the set 
of constant functions from a left-closed interval of T to type(v). Then Constant is closed 
under time shift and subinterval. If the dynamic type of v is obtained by closing Constant 
under the pasting operation, then v is called a discrete variable. This is essentially the 
same as the definition of a discrete variable in [12]. □ 


Example 3.2 (Analog variables). Assume that T = R. Let v be any variable whose 
static type is an interval of R and Continuous be the set of continuous functions from 
a left-closed interval of T to type(v). Then Continuous is closed under time shift and 
subinterval. If the dynamic type of v is obtained by closing Continuous under the pasting 
operation, then v is called an analog variable. Figure 1 shows an example of a function / 
in the dynamic type of an analog variable. Function / is defined on the interval [0,4) and 
is obtained by pasting together four pieces. At the boundary points between these pieces, 
/ takes the value specified by the leftmost piece, which makes / continuous from the left. 
Note that / is undefined at time 4. □ 


Example 3.3 (Standard real-valued function classes). If we take T = R and type(v) = R, 
then other examples of dynamic types can be obtained by taking the pasting closure of 
standard function classes from real analysis, the set of differentiable functions, the set of 
functions that are differentiable k times (for any k), the set of smooth functions, the set 
of integrable functions, the set of L p functions (for any p), the set of measurable locally 
essentially bounded functions [32], or the set of all functions. □ 

Standard function classes are closed under time shift and subinterval, but not under 
pasting. A natural way of defining a dynamic type is as the pasting closure of a class of 
functions that is closed under time shift and subinterval. In such a case, it follows that 
the new class is closed under all three operations. 
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Figure 1: Example of a function in the dynamic type of an analog variable. 


3.3 Trajectories 

In this section, we define the notion of a trajectory , define operations on trajectories, and 
prove simple properties of trajectories and their operations. A trajectory is used to model 
the evolution of a collection of variables over an interval of time. 


3.3.1 Basic Definitions 

Let V be a set of variables, that is, a subset of V. A valuation v for V is a function that 
associates with each variable v E V a value in type(v). We write val(V ) for the set of 
valuations for V. Let J be a left-closed interval of T with left endpoint equal to 0. Then a 
J-trajectory for V is a function r : J —> val(V), such that for each v E V, r J, v E dtype(v). 
A trajectory for V is a J-trajectory for V, for any J. We write trajs(V) for the set of all 
trajectories for V. If Q is a set of valuations for some set V of variables, we write trajs(Q) 
for the set of all trajectories whose range is a subset of Q. 

A trajectory for V where V = 0 is simply a function from a time interval to the special 
function with the empty domain. Thus, the only interesting information represented by 
such a trajectory is the length of the time interval that constitutes the domain of the 
trajectory. We use trajectories over the empty set of variables when we wish to capture 
the amount of time-passage but abstract away the evolution of variables. 

A trajectory for V with domain [0,0] is called a point trajectory for V. If v is a 
valuation for V then p(v) denotes the point trajectory for V that maps 0 to v. We say 
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that a J-trajectory is finite if J is a finite interval, closed if J is a (finite) closed interval, 
open if J is a right-open interval, and full if J = T-°. If T is a set of trajectories, then 
finite(T), closed(T), open(T), and full(T) denote the subsets of T consisting of all the 
finite, closed, open, and full trajectories in T, respectively. 

If r is a trajectory then T.ltime, the limit time of r, is the supremum of dom{r). We 
define T.fval, the first valuation of r, to be r(0), and if r is closed, we define r.lval, the 
last valuation of r, to be r(r./time). For r a trajectory and t € T-°, we define 

T <t = t |” [0, t], 

T <t = T |"[0, f), 
r > t = (t [~[t, oo)) — t. 

Note that, since dynamic types are closed under time shift and subintervals, the result of 
applying the above operations is always a trajectory, except when the result is a function 
with an empty domain. By convention, we also write r < oo = r and r < oo = r. 

3.3.2 Prefix Ordering 

Trajectory r is a prefix of trajectory v, denoted by r < v, if r can be obtained by restricting 
v to a subset of its domain. Formally, if r and v are trajectories for V. then r < v iff 
t = v \ dom{r). Alternatively, t < v iff there exists afeT-°U{oo} such that r = v < t 
or r = v < t. If t < v then clearly dom(r) C dom(v). If T is a set of trajectories for V, 
then pref(T) denotes the prefix closure of T, defined by: 

pref(T) = {t € trajs( V) \ G T : r < v}. 

We say that T is prefix closed if T = pref{T). 

The following lemma gives a simple domain-theoretic characterization of the set of 
trajectories over a given set V of variables: 

Lemma 3.4 Let V be a set of variables. The set trajs( V) of trajectories for V, together 
with the prefix ordering <, is an algebraic cpo. Its compact elements are the closed trajec¬ 
tories. 

3.3.3 Concatenation 

The concatenation of two trajectories is obtained by taking the union of the first trajectory 
and the function obtained by shifting the domain of the second trajectory until the start 
time agrees with the limit time of the first trajectory; the last valuation of the first 
trajectory, which may not be the same as the first valuation of the second trajectory, is 
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the one that appears in the concatenation. Formally, suppose r and t' are trajectories for 
V, with r closed. Then the concatenation r ~ t' is the function given by 

t^t' = t U (t' I"(0, oo) + t. Itime). 

Because dynamic types are closed under time shift and pasting, it follows that r t' is a 
trajectory for V. Observe that r t' is hnite (resp., closed, full) if and only if t' is finite 
(resp., closed, full). Observe also that concatenation is associative. 

The following lemma, which is easy to prove, shows the close connection between 
concatenation and the prefix ordering. 

Lemma 3.5 Let r and v be trajectories for V with r closed. Then 

t < v <=> 3t' : v = t r 1 . 

Note that if r < v, then the trajectory r ' such that v = r ^ r 7 has an arbitrary value for 
r'.fval and the remainder of the trajectory is unique. Note also that the “■<=” implication 
in Lemma 3.5 would not hold if the first valuation of the second argument, rather than 
the last valuation of the first argument, were used in the concatenation. 

We extend the definition of concatenation to any (finite or countably infinite) number 
of arguments. Let To t\ t -2 .. ■ be a (finite or infinite) sequence of trajectories such that r,; 
is closed for each nonfinal index i. Define trajectories Tq,t{,t^, ... inductively by 

/ A 

T 0 — r 0) 

t/ +1 = t[ ^ Tj+i for nonfinal i. 

Lemma 3.5 implies that for each nonfinal i, t[ < t[ +1 . We define the concatenation 
To ^ Ti ^ t -2 ■ ■ • to be the limit of the chain Tq t[ ...; existence of this limit follows from 
Lemma 3.4. 


3.4 Hybrid Sequences 

In this section, we introduce the notion of a hybrid sequence , which is used to model a 
combination of changes that occur instantaneously and changes that occur over intervals 
of time. Our definition is parameterized by a set A of actions , which are used to model 
instantaneous changes and instantaneous synchronizations with the environment, and a 
set V of variables, which are used to model changes over intervals of time. We also define 
some special kinds of hybrid sequences and some operations on hybrid sequences, and give 
basic properties. 
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3.4.1 Basic Definitions 


Fix a set A of actions and a set V of variables. An (A, V)-sequence is a finite or infinite 
alternating sequence a = To a\ t\ a-i where 

1. each Tj is a trajectory in trajs(V), 

2. each a* is an action in A, 

3. if a is a finite sequence then it ends with a trajectory, and 

4. if T t is not the last trajectory in a then n is closed. 

A hybrid sequence is an (A, F)-sequence for some A and V. 

Since the trajectories in a hybrid sequence can be point trajectories our notion of 
hybrid sequence allows a sequence of discrete actions to occur at the same real time, with 
corresponding changes of variable values. An alternative approach is described in [33], 
where state changes at a single real time are modeled using a notion of “superdense time”. 
Specifically, hybrid behavior is modeled in [33] using functions from an extended time 
domain, which includes countably many elements for each real time, to states. 

If a is a hybrid sequence, with notation as above, then we define the limit time of a, 
a.ltime, to be ^Tj.Ztwne. A hybrid sequence a is defined to be: 

• time-bounded if a.ltime is finite. 

• admissible if a.ltime = oo. 

• closed if a is a finite sequence and its final trajectory is closed. 

• Zeno if a is neither closed nor admissible, that is, if a is time-bounded and is either 
an infinite sequence, or else a finite sequence ending with a trajectory whose domain 
is right-open. 

• non-Zeno if a is not Zeno. 

For any hybrid sequence a , we define the first valuation of a, a.fual, to be head(a).fval. 
Also, if a is closed, we define the last valuation of a, a.lval , to be last(a).lval, that is, the 
last valuation in the final trajectory of a. 

If a is a closed (A, V)-sequence, where V = 0 and (3 € trajs(0), we call a f) a 
time-extension of a. 
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3.4.2 Prefix Ordering 

We say that ( A, P)-sequence a = To a\ t\ ... is a prefix of (A, P)-sequence f3 = vo bi v\ .. 
denoted by a < /3, provided that (at least) one of the following holds: 

1. a = (3. 

2. a is a finite sequence ending in some r k ; t % = Vi and aj+i = b l+ \ for every i, 0 < i < k] 
and r k < v k . 

Like the set of trajectories over V. the set of ( A , V")-sequences is an algebraic cpo: 

Lemma 3.6 Let V be a set of variables and A a set of actions. The set of (A,V)- 
sequences, together with the prefix ordering <, is an algebraic cpo. Its compact elements 
are the closed (A, V)-sequences. 

3.4.3 Concatenation 

Suppose a and a' are (A, P)-sequences with a closed. Then the concatenation a'" of is 
the (A, P)-sequence given by 

a'" a 1 = init(a) (last (a) ^ head (a')) tail (a'). 

(Here, inif last , head and tail are ordinary sequence operations.) 

Lemma 3.7 Let a and (3 be (^ A, V)-sequences with a closed. Then 

a < (3 3a' : (3 = a'. 

Note that if a < (3, then the (A, H)-sequence of such that (3 = a of is unique except 
that it has an arbitrary value in val(V) for a'.fval. 

As we did for trajectories, we extend the concatenation definition for ( A , H)-sequences 
to any finite or infinite number of arguments. Let a$ a\ ... be a finite or infinite sequence 
of (A, H)-sequences such that a* is closed for each nonfinal index i. Define (A, H)-sequences 
o:q , of x ,... inductively by 


/ A 

ol o — a 0 , 

a' i+l = of i ^ ai+i for nonfinal i. 

Lemma 3.7 implies that for each nonfinal i, of i < a' i+1 . We define the concatenation 
ao ^ ai ■ ■ ■ to be the limit of the chain a' 0 of^ ...; existence of this limit is ensured by 
Lemma 3.6. 
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3.4.4 Restriction 


Let A and A' be sets of actions and let V and V' be sets of variables. The (A',V')- 
restriction of an ( A , E)-sequence a, denoted by a [(A 7 , V'), is obtained by first projecting 
all trajectories of a on the variables in V 1 , then removing the actions not in A’ , and finally 
concatenating all adjacent trajectories. Formally, we define the (A 7 , E 7 )-restriction first 
for closed {A, H)-sequences and then extend the definition to arbitrary (A, H)-sequences 
using a limit construction. The definition for closed (A, H)-sequences is by induction on 
the length of those sequences: 


r [(A', V') 
aar [~(A 7 , V') 


t | V' if r is a single trajectory, 
f {a \(A',V'))cl{t IV') if a€A', 
\ (a |~(A 7 , V '))(r l V ') otherwise. 


It is easy to see that the restriction operator is monotone on the set of closed {A, V)- 
sequences. Hence, if we apply this operation to a directed set, the result is again a directed 
set. Together with Lemma 3.6, this allows us to extend the definition of restriction to 
arbitrary {A, H)-sequences by: 

a [(A 7 , V') = U {(3 \{A', V') | f3 is a closed prefix of a}. 


The next four lemmas state some basic properties of the restriction operation. 
Lemma 3.8 (A ', V 7 )-restriction is a continuous operation. 


Lemma 3.9 («o aq • • •) \ {A, V) = ao [ {A, V) ^ a\ \ (A, V) 
Lemma 3.10 (a [(A, V)) \ (A',V') = a[(An4',LnF). 


Lemma 3.11 Let a be a hybrid sequence, A a set of actions and V a set of variables. 

1. a is time-bounded if and only if a \{A,V) is time-bounded. 

2. a is admissible if and only if a \{A,V) is admissible. 

3. If a is closed then a | (A,V) is closed. 

4■ If a is non-Zeno then a \(A,V) is non-Zeno. 


Example 3.12 (A Zeno execution with a closed (A, V)-restriction). In order to under¬ 
stand why in Lemma 3.11 we have an implication in only one direction in items 3 and 4, 
consider the Zeno sequence a of the form p(v) a p(v) a p(v).... Let A be a set such that 
a £ A and let V consist of the variables in dom(v). Obviously, a |"(A, V), which is p(v), is 
closed, and hence also non-Zeno. This shows that the fact that a |"(A, V) is closed (resp., 
non-Zeno) does not imply that a is closed (resp., non-Zeno). □ 
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4 Timed Automata 


In this chapter, as a preliminary step toward defining timed I/O automata, we define a 
slightly more general timed automaton model. In timed automata, actions are classified as 
external or internal, but external actions are not further classified as input or output; the 
input/output distinction is added in Chapter 6. We define how timed automata execute 
and define implementation and simulation relations between timed automata. 

4.1 Definition of Timed Automata 

A timed automaton is a state machine whose states are divided into variables, and that 
has a set of discrete actions, some of which may be internal and some external. The state 
of a timed automaton may change in two ways: by discrete transitions, which change 
the state atomically, and by trajectories, which describe the evolution of the state over 
intervals of time. The discrete transitions are labeled with actions; this will allow us to 
synchronize the transitions of different timed automata when we compose them in parallel. 
The evolution described by a trajectory may be described by continuous or discontinuous 
functions. 

Formally, a timed automaton (TA) A = ( X, Q, 0, E, H, V, T) consists of: 

• A set A of internal variables. 

• A set Q C val(X) of states. 

• A nonempty set 0 C Q of start states. 

• A set E of external actions and a set H of internal actions, disjoint from each other. 
We write A = E U H. 

• A set V C Q x A x Q of discrete transitions. 

We use x x 7 as shorthand for (x, a, x 7 ) E T>. Here and elsewhere, we sometimes 
drop the subscript and write x A x 7 , when we think A should be clear from the 
context. We say that a is enabled in x if x A x' for some x 7 . We say that a set C 
of actions is enabled in a state x if some action in C is enabled in x. 

• A set T C trajs(Q) of trajectories. Given a trajectory r G T we denote r.fval by 
r.fstate and, if r is closed, we denote r.lval by r.lstate. When r.f state = x and 
r.lstate = x 7 , we write x —x 7 . We require that the following axioms hold: 

TO (Existence of point trajectories) 

If x G Q then p(x) E T . 

T1 (Prefix closure) 

For every tGT and every t 7 < r, r 7 G T. 
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T2 (Suffix closure) 

For every r € T and every t € dom(r ), r > t € T. 

T3 (Concatenation closure) 

Let to ri T2 ... be a sequence of trajectories in T such that, for each nonfinal 
index i, n is closed and n-lstate = Tj+i-/ state. Then to "" t\ ~ T2 • • • € T. 

A timed automaton is essentially a hybrid automaton in the sense of [6] in which W, the 
set of external variables, is empty. Apart from that, the only difference is the addition of 
Axiom TO, a small restriction that does not affect any of the results of [6] but that we 
need to prove Theorem 7.7. Axioms Tl-3 express some natural further conditions on the 
set of trajectories that we need to construct our theory. A key part of this theory is a 
parallel composition operation for timed automata. In a composed system, any trajectory 
of any component automaton may be interrupted at any time by a discrete transition of 
another (possibly independent) component automaton. Axiom T1 ensures that the part 
of the trajectory up to the discrete transition is a trajectory, and Axiom T2 ensures that 
the remainder is a trajectory. Axiom T3 is required because the environment of a timed 
automaton, as a result of its own internal discrete transitions, may change its dynamics 
repeatedly, and the automaton must be able to follow this behavior. 

Our definition of a timed automaton differs from previous definitions of timed au¬ 
tomata [10, 8] in two major respects. First, the states are structured using variables, 
which have dynamic types with specific closure properties. The variable structure is con¬ 
venient for writing specifications and the dynamic types are useful in analyzing continuous 
evolution of the state. Second, the set of trajectories is defined as an explicit component of 
an automaton. In the previous definitions, time-passage was represented by special time- 
passage actions and trajectories were defined implicitly, as auxiliary functions describing 
the effects of time-passage actions on states. 


Notation: We often denote the components of a TA A by X 4 , Qy i, @^ 4 , E. 4 , etc., and 
the components of a TA A, by X t , Q t , 0j, E t , etc. We sometimes omit these subscripts, 
where no confusion seems likely. In examples we typically specify sets of trajectories using 
differential and algebraic equations and inclusions. Below we explain a few notational 
conventions that help us in doing this. Suppose the time domain T is R, t is a (fixed) 
trajectory over some set of variables V, and v € V. With some abuse of notation, we 
use the variable name v to denote the function t J. v in dom(r) —■> type(v), which gives 
the value of v at all times during trajectory t. That is, for all t € dom(r ), we have 
v(t ) = (t l v)(t) = r(t)(v). Similarly, we view any expression e containing variables from 
V as a function with domain dom{r). Suppose that v is a variable and e is a real-valued 
expression containing variables from V. Using these conventions we can say, for example, 
that t satisfies the algebraic equation 


v = e 
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which means that, for every t G dom(r ), v{t ) = e(f), that is, the constraint on the variables 
expressed by the equation v = e holds for each state on trajectory r. Now suppose also 
that e, when viewed as a function, is integrable. Then we say that t satisfies 

d{y) = e 

if, for every t G dom(r), u(t) = u(0) + e(t')dt'. Equivalently, for every ti,t 2 G dom(r) 
such that t\ < t 2 , vfo) = v(t\)+j^ e{t')dt!. Note that this interpretation of the differential 
equation makes sense even at points where v is not differentiable. A similar interpretation 
of differential equations is used by Polderman and Willems [34], who call functions defined 
in this way “weak solutions”. 

We generalize this notation to handle inequalities as well as equalities. Suppose that v 
is a variable and e is a real-valued expression containing variables from V. The inequality 

e < v 

means that, for every t G dom(r), e(t) < v(t). That is, the constraint expressed by the 
inequality e < v holds for each state of trajectory r. Similarly, the inequality 

v < e 

means that, for every t G dom(r), v(t) < e(t). Now suppose that e is integrable when 
viewed as a function. Then we say that r satisfies 

e < d(v) 

if, for every t\,t 2 G dom(r) such that t\ < t?, v(ti) + / ( ^ 2 e{t')dt' < vfo), and r satisfies 

d(v) < e 

if, for every t\,t 2 G dom{r) such that t\ < t- 2 , vfc) < v(t\) + e(t')dt'. 


Conventions for automata specifications: In all the examples of this monograph 
we assume the time axis T to be R and specify timed automata by using a variant of the 
TIOA language presented in [35, 36, 37, 38]. 

An automaton specification consists of four main parts: a signature, which lists the 
actions along with their kinds (external or internal), and parameter types, a state vari¬ 
ables list, which declares the names and types of state variables, a collection of transition 
definitions and a trajectories definition. 


27 



Unless specified otherwise, the set of states of an automaton equals the set of all 
valuations of its state variables. Static types of variables are always declared explicitly 
in the state variables list. For example, we write v:t for a variable v of static type 
t. Moreover, a variable can be initialized to a specific value allowed by its type. For 
example, in order to initialize the variable v above to the value val, we write v:t := val. 
If no initial value is specified it is assumed to be arbitrary. The state variables list in 
an automaton specification can be followed by an initially clause, which consists of a 
predicate that constrains the automaton parameters and initial values of state variables. 
All of the static types used in the examples have standard interpretations, except possibly 
for the type AugmentedReal, which denotes R U {oo}. 

The dynamic types of variables are specified implicitly. By default, variables of type 
Real are assumed to be analog and variables of types other than Real are assumed to be 
discrete. The definition of what it means for a variable to be discrete or analog is given 
in Examples 3.1 and 3.2. The keyword discrete is used to qualify a discrete variable of 
type Real. Although timed automata may contain variables that are neither discrete nor 
analog, none of our examples use such variables. 

The transitions are specified in precondition-effect style. A pre clause specifies the 
enabling condition for an action. An eff clause contains a list of statements that specify 
the effect of performing that action on the state. All the statements in an effect clause are 
assumed to be executed sequentially in a single indivisible step. The absence of a specified 
precondition for an action means that the action is always enabled and the absence of a 
specified effect means that performing the action does not change the state. 

The trajectories are specified using a combination of algebraic and differential equa¬ 
tions and inequalities, and stopping conditions. A trajectory belongs to the set of legal 
trajectories of an automaton if it satisfies the stopping condition expressed by the stop 
when clause, and the equations or inequalities in the evolve clause. The stopping condi¬ 
tion is satisfied by a trajectory if the only state in which the condition holds is the last 
state of that trajectory. That is, time cannot advance beyond the point where the stop¬ 
ping condition is true. The evolve clause specifies the algebraic and differential equations 
that must be satisfied by the trajectories. We write d(u) = e for d(v) = e, d(u) < e for 
d(v) < e and e < d(u) for e < d(v). We assume that the evolution of each variable follows 
a continuous function throughout a trajectory. This implies that the value of a discrete 
variable is constant throughout a trajectory: time-passage does not change the value of 
discrete variables. 

Example 4.1 (Time-bounded channel). The automaton TimedChannel in Fig. 2 is the 
specification of a reliable FIFO channel that delivers its messages within a certain time 
bound, represented by the automaton parameter b of type Real which is nonnegative. The 
other automaton parameter M is an arbitrary type parameter that represents the type of 
messages communicated by the channel. 

The variable queue is used to hold a sequence of pairs consisting of a message that has 
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automaton TimedChannel(b: Real, M: Type) 
type Packet = tuple of message: M, deadline: Real 
signature 

external send(m: M), receive(m: M) 
states 

queue: Queue[Packet] := {}, 

now: Real := 0 
initially b > 0 
transitions 

external send(m) 
eff 

queue := append([m,now+b],queue) 
external receive(m) 
pre 

head(queue).message = m 
eff 

queue := tail(queue) 
trajectories 
stop when 

3p: Packet p £ queue A (now = p.deadline) 
evolve 

d(now) = 1 


Figure 2: Time-bounded channel. 


been sent and its delivery deadline. The variable now is used to describe real time. Every 
send(m) transition adds to the queue a new pair whose first component is m and whose 
second component is the deadline now + b. A receive (m) transition can occur only when 
m is the first message in the queue and it results in the removal of the first message from 
the queue. 

The trajectory specification shows that the variable now increases with rate 1, that is, 
at the same rate as real time. The stopping condition implies that, within a trajectory, 
time cannot pass beyond the point where now becomes equal to the delivery deadline of 
some message in the queue. □ 


Example 4.2 (Periodic sending process). The automaton PeriodicSend in Fig. 3 is the 
specification of a process that sends messages periodically, every u time units, where u 
is an automaton parameter of type Real which is nonnegative. The type parameter M 
represents the type of the messages sent by the process. 

The analog variable clock is a timer whose value records the amount of time that has 
elapsed since it was last reset to 0. A send(m) transition can occur only when clock = u, 
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automaton PeriodicSend(u: Real, M: Type) 
signature 

external send(m: M) 
states 

clock: Real := 0 
initially u > 0 
transitions 

external send(m) 
pre 

clock = u 
eff 

clock := 0 
trajectories 
stop when 
clock = u 
evolve 

d(clock) = 1 


Figure 3: Periodic sending process. 


and it causes clock to be reset. The trajectory specification says that clock increases at 
the same rate as real time and time cannot pass beyond the point where clock = u. □ 


Example 4.3 (Periodic sending process with failures). The specification of the PeriodicSend 
process from Example 4.2 does not model failures. We now consider a variant of PeriodicSend 
where the process may fail and stop doing any discrete actions. The specification of this 
new automaton is given in Fig. 4. 

The discrete variable failed in automaton PeriodicSend2 is a boolean flag that records 
whether the process is failed. It is initialized to false and is set to true when a fail action 
occurs. The trajectory specification of PeriodicSend2 shows that time can advance without 
any bound when the process is failed. □ 


Example 4.4 (Timeout process). The automaton Timeout in Fig. 5 is the specification of 
a process that awaits the receipt of a message from another process. If u time units elapse 
without such a message arriving, Timeout performs a timeout action, thereby “suspecting” 
the other process. When a message arrives it “unsuspects” the other process. Timeout 
may suspect and unsuspect repeatedly. 

The discrete variable suspected is a flag that shows whether Timeout suspects that the 
other process is failed. The variable clock is a timer that records the amount of time that 
has elapsed since the receipt of the last message. A receive (m) transition can occur at 
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automaton PeriodicSend2(u : Real,M: Type) 
signature 

external send(m: M), fail 
states 

failed: Bool := false, 
clock: Real := 0 
initially u > 0 
transitions 

external send(m) 
pre 

-ifailed A clock = u 
eff 

clock := 0 
external fail 
eff 

failed:= true 
trajectories 
stop when 

-^failed A clock = u 
evolve 

d(clock) = 1 


Figure 4: Periodic sending process with failures. 


any time; this causes the variable clock to be reset and the flag suspected to be set to 
false. If clock reaches u before the arrival of a message then the timeout action becomes 
enabled. The process sets suspected to true as a result of a timeout. 

The trajectory specification shows that clock increases at the same rate as real time 
and, if suspected = false, then time cannot go beyond the point where clock = u. Note 
that if suspected = true, there is no restriction on the amount of time that can elapse. □ 


Example 4.5 (Fischer’s algorithm). The timed automaton FischerME presented in Figs. 6 
and 7 is the specification of a shared memory mutual exclusion algorithm which uses a 
single shared variable that can be read and written by all the participants. We fix here 
the number of participants to be four, by defining Index to be an enumeration consisting 
of four elements. Note, however, that this specification can be generalized to any finite 
number of participants. 

The automaton parameters u_set and l_check represent upper and lower time bounds 
for the set(i) and check(i) actions respectively. We assume that u_set < l_check. 

The shared variable x can be assigned any value of type Index plus one additional 
special value nil. If a process is in the critical region, then the variable x contains the 
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automaton Timeout (u : Real , M: Type) 
signature 

external receive(m: M), timeout 
states 

suspected: Bool := false, 
clock Real := 0 
initially u > 0 
transitions 

external receive(m) 
eff 

clock:=0; 
suspected:= false 
external timeout 
pre 

-isuspected A clock = u 
eff 

suspected := true 
trajectories 
stop when 

clock = u and ^suspected 
evolve 

d(clock) = 1 


Figure 5: Timeout. 


index of that process. If all users are in the remainder region, then the variable x contains 
the value nil. The array variable pc records the program counters of all processes. The 
array variable lastset keeps track of the deadlines by which the processes’ set actions 
must occur. Similarly, the array variable firstcheck keeps track of the earliest time the 
processes’ check actions may occur. The analog variable now models real time. 

The transition definitions for external actions try(i), crit(i), exit(i), and rem(i) 
are straightforward. When a process performs one of these actions, its program counter 
is updated to record the region entered by the process. The most interesting transition 
definitions are test(i), set(i), and check(i) since they are the ones that involve timing 
constraints of the algorithm. When a process i performs a test action and observes x to 
be nil, it sets lastset [i] to now + u_set. This sets the deadline for the performance of the 
set(i) action. Note that this deadline is enforced through the stopping condition in the 
trajectory specification. The transition set(i) sets firstcheckfi] to now + l_check. The 
value of firstcheck[i] determines the earliest time check(i) may occur. The check(i) 
action is enabled only when the current time has at least this value. 

The stopping condition implies that if the value of now reaches the value of lastset [i] 
for some process i at some point in time, then that point must be the limit time of the 
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type Index = enumeration of pi , p2 , p3, p4 

type PcValue = enumeration of rem, test, set, check, 

leavetry, crit , reset , leaveexit 


automaton FischerME (u_set 
signature 

external try(i:Index), 
internal test(i:Index), 
check(i:Index) 


, l_check: Real) 

crit(i:Index) , exit(i:Index), 
set(i:Index), 

, reset(i:Index) 


rem(i:Index) 


states 

x: Null[Index] := nil, 

pc: Array[Index,PcValue] := constant(rem), 

lastset : Array[Index, discrete AugmentedReal] := constant(infty), 

firstcheck: Array[Index, discrete AugmentedReal] := constant(0) , 
now: Real:=0 

initially u_set > 0 A l_check > 0 A u_set < l_check 


Figure 6: Fischer’s mutual exclusion algorithm: Signature and states. 


trajectory. 


□ 


Example 4.6 (Clock synchronization). The automaton ClockSync in Fig. 8 is the specifi¬ 
cation of a single process in a clock synchronization algorithm. Each process has a physical 
clock and generates a logical clock. The goal of the algorithm is to achieve “agreement” 
and “validity” among the logical clock values. Agreement means that the logical clocks 
are close to one another. Validity means that the logical clocks are within the range of 
the physical clocks. 

The algorithm is based on the exchange of physical clock values between different 
processes in the system. The parameter u determines the frequency of sending messages. 
Processes in the system are indexed by the elements of the type Index which we assume to 
be pre-defined. ClockSync has a physical clock physclock, which may drift from the real 
time with a drift rate bounded by r. It uses the variable maxother to keep track of the 
largest physical clock value of the other processes in the system. The variable nextsend 
records when it is supposed to send its physical clock to the other processes. The logical 
clock, logclock, is defined to be the maximum of maxother and physclock. Formally 
logclock is a derived variable , which is a function whose value is defined in terms of the 
state variables. 

A send(m,i) transition is enabled when m = physclock and nextsend = physclock. It 
causes the value of nextsend to be updated so that the next send can occur when physclock 
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transitions 

external try(i) 
pre 

pc [i] = rem 
eff 

pc[i]:= test 
internal test (i ) 
pre 

pc[i] = test 
eff 

if x = nil then 
pc [ i ] : = set ; 

lastset[i]:=now+u_set 
internal set(i ) 
pre 

pc [i] = set 
eff 

x := embed(i); 

pc[i] := check ; 

lastset[i] := infty; 

firstcheck [i] := now + l_check 
internal check(i) 
pre 

pc[i] = check A 

now > f ir st che ck [ i ] 

e f f 

if x = embed(i) then pc[i] := 

else pc[i] := test 

trajectories 
stop when 

3 i: Index now= lastset [i] 
evolve 

d(now) = 1 


Figure 7: Fischer’s mutual exclusion algorithm: 
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external crit(i) 
pre 

pc[i] = leavetry 
eff 

pc[i] := crit 

external exit(i) 
pre 

pc [i] = crit 
eff 

pc[i] := reset 

internal reset (i) 
pre 

pc[i] = reset 
eff 

x := nil; 

pc[i] := leaveexit 

external rem(i) 
pre 

pc[i] = leaveexit 
eff 

pc[i] := rem 

leavetry 




automaton ClockSync(u,r: Real, i: Index) 
signature 

external send(m: Real, const i: Index), 

receive(m: Real, j: Index, const i: Index) where j / i 

states 

nextsend: discrete Real := 0, 
maxotlier : discrete Real := 0, 
physclock: Real := 0 
initially u>0A (0 < r < 1) 

derived variables 

logclock = max (maxotlier , physclock) 

transitions 

external send(m,i) 
pre 

m = physclock A physclock = nextsend 
eff 

nextsend := nextsend + u 
external receive(m, j ,i) 
eff 

maxother := max(maxother,m) 
trajectories 
stop when 

physclock = nextsend 
evolve 

(1 - r) < d(physclock) < (1 + r) 


Figure 8: Clock synchronization. 
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has advanced by u time units. The transition definition for receive(m, j ,i) specifies the 
effect of receiving a message from another process j in the system. Upon the receipt of a 
message m from j, i sets maxother to the maximum of m and the current value of maxother, 
thereby updating its knowledge of the largest physical clock value of other processes in 
the system. 

The trajectory specification is slightly different from that in the previous examples. In 
this example, the analog variable physclock does not change at the same rate as real time 
but it drifts with a rate that is bounded by r. The periodic sending of physical clocks to 
other processes is enforced through the stopping condition in the trajectory specification. 
Time is not allowed to pass beyond the point where physclock = nextsend. □ 


4.2 Executions and Traces 

We now define execution fragments, executions, trace fragments, and traces, which are 
used to describe automaton behavior. An execution fragment of a timed automaton A is 
an (A, U)-sequence a = tq a\ T\ 02 T2 ..., where ( 1 ) each t; is a trajectory in T , and ( 2 ) 
if Ti is not the last trajectory in a then Ti.lstate T!; 1 /state. An execution fragment 
records what happens during a particular run of a system, including all the instantaneous, 
discrete state changes and all the changes to the state that occur while time advances. We 
write frags a for the set of all execution fragments of A. 

If a is an execution fragment, with notation as above, then we define the first state of 
a, a./state, to be a.fval. An execution fragment of a timed automaton A from a state x 
of A is an execution fragment of A whose first state is x. We write frags ^(x) for the set of 
execution fragments of A from x. An execution fragment a is defined to be an execution if 
a./state is a start state, that is, a./state € 0. We write execs a for the set of all executions 
of A. If a is a closed (A, V)-sequence then we define the last state of a, a.lstate, to be 
a.lval. 

A state of A is reachable if it is the last state of some closed execution of A. A property 
that is true for all reachable states of an automaton is called an invariant assertion, or 
invariant, for short. 

Like trajectories also execution fragments are closed under countable concatenation. 

Lemma 4.7 Let a^ai ... be a finite or infinite sequence of execution fragments of A such 
that, for each nonfinal index i, oti is closed and oti.lstate = ai + \./state. Then aoan “ • • • 
is an execution fragment of A. 

Proof: Follows easily from the definitions, using Axiom T3. □ 

The characterization of the prefix ordering on (A, U)-sequences from Lemma 3.7 carries 
over to execution fragments. 
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Lemma 4.8 Let a and (3 be execution fragments of A with a closed. Then 

a < P 3c/ € frags a : f3 = a a'. 

Proof: Implication “^=” follows from the corresponding implication in Lemma 3.7. Im¬ 
plication “=>” follows from the definitions and T2. □ 

The external behavior of a timed automaton is captured by the set of “traces” of 
its execution fragments, which record external actions and the trajectories that describe 
the intervening passage of time. A trace consists of alternating external actions and 
trajectories over the empty set of variables, 0; the only interesting information contained 
in these trajectories is the amount of time that elapses. 

Formally, if a is an execution fragment, then the trace of a, denoted by trace(a), is 
the (E, 0)-restriction of a, a \(E, 0). A trace fragment of a timed automaton A from a 
state x of A is the trace of an execution fragment of A whose first state is x. We write 
tracefrags_ 4 (x) for the set of trace fragments of A from x. Also, we define a trace of A to 
be a trace fragment from a start state, that is, the trace of an execution of A, and write 
traces a for the set of traces of A. 

In the earlier timed automaton models [10, 8], execution fragments were defined in a 
similar style to the one presented here, that is, as an alternating sequence of trajectories 
and actions. However, the traces were not derived from execution fragments by a simple 
restriction to external actions and the empty set of variables. Rather, a trace was defined 
as a sequence consisting of actions paired with their time of occurrence together with 
a limit time. The new definition increases uniformity; the definitions, results and proof 
techniques for hybrid sequences apply to both execution fragments and traces. 

We now revisit some of the automata presented earlier in this chapter and give sample 
executions and traces for these automata. 

Example 4.9 (Periodic sending process). Consider the automaton PeriodicSend from 
Example 4.2 where u is instantiated to the real number 3 and the message type parameter 
M is instantiated to the set {ml, m2,...}. The following sequence is an execution of the 
automaton: 


a = t send(ml) r send(m2) r send(m3) r .. . 

where r : [0,3] —» m/({clock}) is defined such that r(t)(clock) = t for all t 6 [0,3]. The 
function r is defined for closed intervals of length 3, starting at time 0. It describes the 
evolution of the variable clock, which is 0 at the start of r and increases with rate 1 for 
3 time units. The discrete send events occur periodically, every 3 time units and reset the 
clock variable to 0. 

The trace of the above execution fragment, trace(a), is the sequence 
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a! = t' send (ml) t' send (m2) t' send (m3) t' . . . 


where t' : [0,3] —> val(%). Since the range of function t' contains only the function with 
the empty domain, trace (a) does not contain any information about what happens to the 
value of clock as time progresses. Since the domains of r and t' are identical, a and 
a! express the same information about the amount of time that elapses between discrete 
steps. □ 

Example 4.10 (Timeout process). We now present an execution of the automaton 
Timeout from Example 4.4 where the the maximum waiting time u for a message is 5 and 
the message alphabet M is the set {ml,m2}. The following finite sequence is an execution 
of Timeout: 


a = To receive(ml) T\ timeout T 2 receive(m2) T 3 timeout 74 

where Val = va/({suspected, clock}) and the functions To, Ti, T 2 , 73,74 are defined as fol¬ 
lows: 

To : [0,2] —> Val where To (f) (suspected) = false and 7 o(f)(clock) = t for all t £ [0,2]. 

T\ : [0,5] —> Val where ri(t)(suspected) = false and ri(f)(clock) = t for all t £ [0,5]. 

T 2 : [0,1] —> Val where T 2 (t)(suspected) = true and T 2 (f)(clock) = 5 + t for all t £ [0,1]. 

t 3 : [0,5] —> Val where T 3 (f)(suspected) = false and T 3 (f)(clock) = t for all t £ [0,5]. 

T 4 : [0, 00) —> Val where 74 (f)(suspected) = true and T 4 (t)(clock) = 5 + t for all t £ [0, 00). 

In this sample execution, the first awaited message arrives at time 2. Since no other 
message arrives within the next 5 time units, the process performs a timeout. A new 
message arrives 1 time unit after the timeout and the variable clock is reset to 0. Since 
no new message arrives in the next 5 time units the process performs another timeout. 
The time elapses forever after this timeout since no further message arrives. 

This example illustrates that the automaton Timeout can perform multiple timeout 
transitions. Another point to note is that the sample execution consists of a finite (A, V)- 
sequence ending with a trajectory, as opposed to an infinite sequence as in Example 4.9 . 
The final trajectory here is a trajectory whose domain is right open and the execution is 
admissible and non-Zeno. Replacing T 4 with a function on a closed interval would yield a 
non-Zeno execution that is not admissible. 

The trace of the execution a can be obtained by letting the range of Ti be the set 
consisting of the function with the empty domain, as we did in the previous example. That 
is, by hiding the values of the internal variables clock and suspected during trajectories. 
□ 

Example 4.11 (Time-bounded channel). Consider the time-bounded channel automaton 
from Example 4.1. It is easy to observe that time cannot pass beyond any delivery deadline 
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recorded in the message queue and that each deadline in the queue is less than or equal to 
the sum of the current time and the bound b. This property can be stated as an invariant 
assertion as follows. 

Invariant 1: In any reachable state x of automaton TimedChannel, for all p € x(queue), 
x(now) < p. deadline < x(now) + b. 

Such an invariant can be proved by induction. Recall that reachable states are the 
final states of closed executions. Axioms T1 and T2 allow us to view any closed execution 
as a concatenation of closed execution fragments, ao aq ... a*,, where every ccj is 
either a closed trajectory or a discrete action surrounded by point trajectories, and where 
ai.lstate = oci+i-f'state for 0 < i < k — 1. The invariant can then be proved using induction 
on the length k of the sequence of execution fragments o. % . □ 


Example 4.12 (Fischer’s mutual exclusion). The main safety property that needs to be 
satisfied by the automaton FischerME from Example 4.5 is mutual exclusion. This safety 
property can be expressed as an invariant assertion: 

Invariant 1: In any reachable state x of FischerME, there do not exist i: Index and 
j : Index such that i ^ j, x(pc) [i] = crit and x(pc) [j] = crit. 

Even though the invariant does not refer to time, its proof depends on the timing 
constraints of the automaton. For example, the following auxiliary invariant can be used 
in proving Invariant 4.12: 

Invariant 2: In any reachable state x of FischerME, if x(pc) [i] = check, x(x) = 
embed(i) , and x(pc) [j] = set, then x(f irstcheck) [i]) > x(lastset) [j]. 

This invariant states that if the program counter of process i has the value check, the 
program counter of process j has the value set, and the variable x has the value embed(i), 
then i will allow enough time for j to set x to embed (j ), before performing the check. If this 
timing constraint were not satisfied, it would be possible for i to check that x = embed(i) 
before j sets x to embed(j). Both of the processes would then observe x to contain their 
own index and enter the critical region. □ 

The following lemma states that some properties of executions carry of to their traces 
and vice versa. 

Lemma 4.13 If a is an execution of A then 

1. a is time-bounded if and only if trace(a) is time-bounded. 

2. a is admissible if and only if trace (a) is admissible. 
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3. If a is closed then trace(a) is closed. 

4■ If a is non-Zeno then trace(a) is non-Zeno. 

Proof: Follows directly from the corresponding properties for the restriction of (A,V)- 
sequences (Lemma 3.11). □ 


Lemma 4.14 If (3 is a trace of A then 

1. If P is closed then there exists an execution a of A such that trace(a) = (5 and a is 
closed. 

2. If f3 is non-Zeno then there exists an execution a of A such that trace(a) = (3 and 
a is non-Zeno. 

Proof: For the first part of the theorem, let /? = trace(a) be a closed trace of A. By 
definition of a trace, we know that (3.ltime = a.ltime. We also know that a is either closed 
or has a suffix which is an infinite sequence of alternating point trajectories and internal 
actions. Now, let of be the least closed prefix of a such that a'.ltime = p.ltime. Clearly, 
a' is a closed execution of A and f3 = trace(a'). 

For the second part of the theorem, observe that a non-Zeno trace is either closed or 
admissible. Let (3 = trace(a). For the case where /3 is closed, we have already shown how 
we can find a closed execution. For the case where (3 = trace (a) is admissible, we know 
that a.ltime = oo. Hence, a is admissible, as needed. □ 


Example 4.15 (Constructing a closed execution from a closed trace). Consider the Zeno 
hybrid sequence a = p(v) a p(v) a p(v) ... given in Example 3.12. Suppose that a is an 
execution of A and that a is an internal action of A. Then, trace(a) = p(v') where p(v r ) 
is a trajectory over the empty set of variables. However, the fact that trace (a) is closed 
does not imply that a is closed. Thus, we see why we have a one way implication in item 
3 of Lemma 4.13. On the other hand, we can construct a closed execution of A with trace 
p(v') as explained in the proof of Lemma 4.14. The execution consisting of the point 
trajectory p(v) is a closed execution of A with trace p(v'). □ 


4.3 Special Kinds of Timed Automata 

This section describes several restricted forms of timed automata and gives definitions 
that are needed for theorems that are presented later on in this monograph. 
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Timed Automata with Finite Internal Nondeterminism: We are sometimes in¬ 
terested in bounding the amount of internal nondeterminism in a timed automaton. Thus, 
we say that a timed automaton A has finite internal nondeterminism (FIN) provided 
that: 

1. The set 0 of start states is finite, and 

2. For every state x of A and every trace fragment (I of A from x, the set {a.lstate \ 
a G frags ^(x) A trace(a) = (3} is finite. 


Example 4.16 (Automata with FIN). It is not hard to see that the automata TimedChannel, 
PeriodicSend, PeriodicSend2, and Timeout given in Section 4.1 all have FIN. The first prop¬ 
erty of the definition of FIN is satisfied since each of these automata has a unique start 
state. The second property follows from the fact that in each automaton, for every state 
x and every trace fragment (3 from x, there is a unique execution fragment a such that 
trace(a) = (3. □ 


Example 4.17 (Automata without FIN). We show that automata FischerME and ClockSync 
from Section 4.1 do not have FIN. For each automaton, we specify a trace, describe the 
set of all executions that have the specified trace, and argue that the second property in 
the definition of FIN fails for the chosen trace. 

Let x be the start state of FischerME and (3 = tq try(i) T\ be a trace of the same 
automaton where the domains of the functions To and n are, respectively, the single point 
interval [0,0] and the interval [0,u], and the range of both functions is the set consisting 
of the function with the empty domain. For any execution a, trace(a) = f3, if and only if 
a.ltime = u, try(i) occurs at time 0, and all the actions in a that occur after try(i) are 
internal actions. There are infinitely many different times that the internal actions may 
occur, and infinitely many values lastcheck and firstcheck could have, by the time u. 
Therefore, the set {a.lstate \ a G frags ^(x) A trace(a) = tq try(i) ri} is not finite and 
FischerME does not have FIN. 

Now, let x be the start state of ClockSync where x(physclock) = x(nextsend) = 
x(maxother) = 0 and (3 = tq send(O) n be a trace of ClockSync where the domains of 
functions To and ti are, respectively, the interval [0, 0] and the interval [0, it], and the range 
of both functions is the set consisting of the function with the empty domain. For any a 
in which send(0) occurs at time 0 and is followed by a trajectory t such that T.ltime = it, 
we have trace(a) = (3. For any such a, a.lstate( physclock) can be any value in the in¬ 
terval [u (1 - r), u (1 + r)]. Therefore, the set {a.lstate \ a G frags^x) A trace(a) = 
To send(0) T\} is not finite and ClockSync does not have FIN. □ 

The following lemma states that if a timed automaton has FIN, then its set of traces 
is limit-closed. 
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Lemma 4.18 Suppose that timed automaton A has FIN and x G Q. Suppose that 
(3i @2 ■ ■ ■ is a chain of trace fragments of A from x. Then the hybrid sequence lim, ff 
is a trace fragment of A from x. 


Proof: This is analogous to the proof of Lemma 4.3 of [10]. Suppose that A is a timed 
automaton that has FIN, x is a state of A, and fl\ flz ... is a chain of trace fragments of 
A from x. We define a relation after between trace fragments from x and states of A: 
after = {(/?, y) | 3a G frags. 4 (x). trace(a) = (3 A a.lstate = y}. 

We construct a directed graph G whose nodes are pairs (/%, y) G after where Pi is 
an element of the given chain. In G, there is an edge from (Pi, y) to (Pi+ i,y') exactly if 
Pi -|_i = Pi^ 7 such that 7 = trace(a) for some a G frags. 4 (y), and a.lstate = y 1 . By the 
definition of property FIN, there are finitely many roots of G of the form (Pi , y). By the 
definition of FIN and the construction of G, each node of G has finite outdegree. 

We claim that each node (Pi, y) of G is reachable from some root (Pi, z) for some z. 
By definition of the node set, there exists a G frags^(x) such that trace(a) = Pi and 
a.lstate = y. Choose a' G frags^(x.) to be a prefix of a such that trace(a') = Pi and let 
z = a'.lstate. By definition of the edge set of G, (Pi, y) is reachable from (/3i,z). 

Hence, G satisfies the hypotheses of Lemma 2.3, which implies that there is an infinite 
execution fragment starting from x whose trace is limj/3,. Lemma 2.3 is an extension of 
Konig’s lemma. □ 

There are two references to automata with FIN later in the paper. The first one is in 
Theorem 4.19, which lists some sufficient conditions for establishing an implementation 
relationship between two automata. The second reference appears in the discussion about 
the kinds of automata that satisfy the assumptions of Theorem 7.7. 


Feasible Timed Automata: A timed automaton A is feasible provided that, for every 
state x of A, there exists an admissible execution fragment of A from x. 

Feasibility is a basic requirement that any “reasonable” timed automaton should sat¬ 
isfy. Theorems 4.19, and 6.2 establish some results about feasible automata. 


Timing-Independent Timed Automata: A timed automaton A is said to be timing- 
independent provided that all its state variables are discrete variables, and its set of tra¬ 
jectories is exactly the set of constant-valued functions over left-closed time intervals with 
left endpoint 0 . 

We refer to timing-independent automata later in Examples 5.12 and 7.9, and in our 
discussion about Theorem 7.7. 
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4.4 Implementation Relationships 

Timed automata A\ and A 2 are comparable if they have the same external interface, 
that is, if E\ = E- 2 - If A\ and A 2 are comparable then we say that A\ implements A 2 , 
denoted by A± < A 2 , if the traces of Ai are included among those of A 2 , that is, if 
traces^ C traces^. 1 

Other preorders between timed automata could also be used as implementation rela¬ 
tionships, for example, if A\ and A 2 are comparable timed automata, we could consider: 

• Every closed trace of A\ is a trace of A 2 . 

• Every admissible trace of Ai is a trace of A 2 - 

• Every non-Zeno trace of A\ is a trace of A 2 - 


Theorem 4.19 Let A\ and A 2 be comparable TAs. 

1. If every closed trace of Ai is a trace of A 2 and A 2 has FIN, then Ai < A 2 . 

2. If every admissible trace of Ai is a trace of A 2 and Ai is feasible, then every closed 
trace of Ai is a trace of A 2 - 

3. If every admissible trace of A± is a trace of A 2 , A\ is feasible, and A 2 has FIN, then 
A\ < A2- 

Proof: Part 1 follows from Lemma 4.18. 

For Part 2, consider a closed trace (3 of A\. By feasibility of A\ , we may extend (3 
to an admissible trace /3' of A\. Then by assumption, /3' is also a trace of *4.2- By prehx 
closure of the set of traces, /3 is a trace of A 2 - 

Part 3 follows from Parts 1 and 2. □ 


4.5 Simulation Relations 

In this section, we define simulation relations between timed automata. Simulation re¬ 
lations may be used to show that one TA implements another, in the sense of inclusion 

1 In [10, 39, 40, 41], definitions of the set of traces of an automaton and of one automaton implementing 
another are based on closed and admissible executions only. The results we obtain in this paper using 
the newer, more inclusive definition imply corresponding results for the earlier definition. For example, 
we have the following property: If Ai < A 2 then the set of traces that arise from closed or admissible 
executions of Ai is a subset of the set of traces that arise from closed or admissible executions of A 2 . This 
follows from Lemmas 4.13 and 4.14. 
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of sets of traces. We define two main types of simulation relations (forward and back¬ 
ward simulations) and three derived notions (refinements, history relations and prophecy 
relations). 

Forward simulations are more commonly used than backward simulations because they 
are easier to think about and are general enough to cover most interesting situations that 
arise in practice. Backward simulations are sometimes necessary, in particular, when non- 
deterministic choices are resolved earlier in the specification than in the implementation. 
In proving implementation relations, we prefer to use forward simulation relations when¬ 
ever they exist, since backward simulations are harder to think about. 

4.5.1 Forward Simulations 

Let A and B be comparable TAs. A forward simulation from A to I? is a relation R 
C Q 4 x Qt 3 satisfying the following conditions, for all states x _4 and xg of A and B , 
respectively: 

1. If x _4 € 0.4 then there exists a state xg 6 @g such that x^ R xg. 

2 . If x .4 R xg and a is an execution fragment of A consisting of one action surrounded 
by two point trajectories, with a.fstate = x^, then B has a closed execution fragment 
/ 3 with (3./state = xg, trace{(3) = trace(a), and a.lstate R (d.lstate. 

3. If x .4 R xg and a is an execution fragment of A consisting of a single closed 
trajectory, with a./state = x^, then B has a closed execution fragment (3 with 
f3.fstate = xg, trace{(3) = trace{a ), and a.lstate R fd.lstate. 

The first condition states that for each start state of A there exists a related start state 
of B. The second and third condition, which are referred to as transfer properties, assert 
that each discrete transition resp. trajectory of A can be simulated by a corresponding 
execution fragment of B with the same trace. 

Forward simulation relations induce a preorder between timed automata. 

Theorem 4.20 Let A, B and C be comparable TAs. If Ri is a forward simulation from 
A to B and R 2 is a forward simulation from B to C, then R 2 o R\ is a forward simulation 
from A to C. 

Even though the definition of a forward simulation only refers to closed trajectories it 
also yields a correspondence for open trajectories. 

Lemma 4.21 Let A and B be comparable TAs and let R be a forward simulation from A 
to B. Let X .4 and xg be states of A and B, respectively, such that x^ R xg. Let a be an 
execution fragment of A from state x^ consisting of a single open trajectory. Then B has 
an execution fragment /3 with (3./state = xg and trace(/3) = trace(a). 
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Proof: Let r be the single open trajectory in a. Using Axioms T1 and T2, we construct 
an infinite sequence tqT\ ... of closed trajectories of A such that r = To ^ • • •. Then, 

working recursively, we construct a sequence (3q(3\ ... of closed execution fragments of 
B such that (3q./ state = xg and, for each i, n.lstate R fii.lstate, (3i.lstate = .. fstate, 

and traced ) = trace(Pi). This construction uses induction on i, using Property 3 of the 
definition of a forward simulation in the induction step. Now let (3 = (3$ (3\ • • •. By 
Lemma 4.7, f3 is an execution fragment of B. Clearly, (3.fstate = xg. By Lemma 3.9 
applied to both a and (3, trace({3) = trace (a). Thus (3 has the required properties. □ 


Theorem 4.22 Let A and B be comparable TAs and let R be a forward simulation from 
A to B. Let x _4 and xg be states of A and B, respectively, such that x^ R xg. Then 
tracefrags a{aa) U tracefrags B (xi3). 

Proof: Suppose that 6 is the trace of an execution fragment of A that starts from 

x^; we prove that 5 is also a trace of an execution fragment of B that starts from xg. 
Let a = tq a\ T\ a 2 T 2 ■ ■ ■ be an execution fragment of A such that a.fstate = x ^ and 
5 = trace (a). We consider cases: 

1. a is an infinite sequence. 

Using Axioms T1 and T2, we can write a as an infinite concatenation ao'~'ai ~~OL 2 • ■ 
in which the execution fragments oii with i even consist of a trajectory only, and the 
execution fragments a,; with i odd consist of a single discrete step surrounded by 
two point trajectories. 

We define inductively a sequence /3o (3\ ... of closed execution fragments of B , such 
that (3q. fstate = xg and, for all z, (3i.lstate = f3i + \.fstate, oti.lstate R fli-lstate, and 
trace((3i) = trace(ai). We use Property 3 of the definition of a simulation for the 
construction of the (3fs with i even, and Property 2 for the construction of the (3f s 
with i odd. Let (3 = (3q j3\ /?2 ■ • • • By Lemma 4.7, f3 is an execution fragment 

of B. Clearly, (3.fstate = xg. By Lemma 3.9, trace{(3) = trace{a). Thus [3 has the 
required properties. 

2. a is a finite sequence ending with a closed trajectory. 

Similar to the first case. 

3. a is a finite sequence ending with an open trajectory. 

Similar to the first case, using Lemma 4.21. ^ 

The next corollary states that forward simulations constitute a sound technique for 
proving trace inclusion between timed automata. 

Corollary 4.23 Let A and B be comparable TAs and let R be a forward simulation from 
A to B. Then A < B. 
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Proof: Suppose (3 £ traces a- Then (3 £ tracefrags. 4 (x^) for some start state of A. 
Property 1 of the definition of simulation implies the existence of a start state xg of B 
such that x _4 R xg. Then Theorem 4.22 implies that j3 £ tracefrags g(xg). Since xg is a 
start state of B , this implies that (3 £ traces as needed. □ 


Example 4.24 (Time-bounded channels). Consider two instances of the specification in 
Fig. 2, TimedChanneKbl, M) and TimedChannel(b2, M) where bl < b2. We define a forward 
simulation R from TimedChanneKbl, M) to TimedChannel(b2, M) below. If x is a state of 
TimedChanneKbl, M) and y is a state of TimedChannel(b2, M), then x R y provided that 
the following conditions are satisfied: 

1. x(now) = y(now). 

2. | x(queue) | = |y(queue)|. We use |g| to denote the length of an object q of type queue. 

3. Vz. 1 < z < |x(queue)|, if x(queue)(z) = [m,ul] then y(queue)(z) = [m,u2], for some 
u2 with ul < u2. 

We can prove that R is a forward simulation from the automaton TimedChanneKbl, M) to 
the automaton TimedChannel(b2, M) by showing that R satisfies each of the three proper¬ 
ties in the definition of a forward simulation relation. In each automaton there is a unique 
initial state that maps the variable now to 0 and queue to the empty sequence. It is obvious 
that the initial states, which are identical, are related by R and so the first property is 
satisfied. 

For the rest of the proof, we let x and y be, respectively, states of TimedChanneKbl, 
M) and TimedChannel(b2, M) such that x R y. In order to show that the second property is 
satisfied, we need to consider two cases, one for each discrete action that may be performed 
by TimedChanneKbl, M). 

If TimedChanneKbl, M) performs a send(m) action, and the state changes from x to 
x 7 then we need to find an execution fragment f3 of TimedChannel(b2,M) from y ending in 
y 7 , such that x 7 R y' and trace{(3) is the same as the trace of p(x) send(m) p(x 7 ). The 
execution fragment f3 = p(y) send(m) p(y 7 ) satisfies the required conditions. This follows 
from the hypothesis that x R y and the definition of R, using the fact that the effect of a 
send(m) action of TimedChanneKbl, M), TimedChannel(b2, M) are, respectively, adding the 
entry [m,now + bl] to x(queue), and [m,now + b2] to y(queue) where bl < b2. 

If TimedChanneKbl, M) performs a receive(m) action, and the state changes from x 
to x 7 then we need to show that receive (m) is also enabled in y and that there is an 
execution fragment with the required properties that ends in a state y 7 such that x 7 R y'. 
In order to show that receive (m) is enabled in y, we use the hypothesis that x R y, 
which implies that the first element of y(queue) is of the form [m,u] for some u. The 
execution fragment p(y) receive (m) p(y 7 ) of TimedChanneKbl, M) can be shown to satisfy 
the required conditions. 
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For the third property, we consider a closed trajectory r of TimedChannel (bl, M) with 
r.fstate = x and show that there exists a closed execution fragment (3 of the automaton 
TimedChannel(b2, M) with (3. fstate = y, trace((3 ) = trace(r), and r.lstate = (3.lstate . It 
is easy to check that the trajectory t' of TimedChannel (b2, M) with r' ./state = y and 
t' .Itime = T.ltime satisfies the required conditions. □ 


Example 4.25 (Time-bounded channel that keeps all messages). In this example we define 
a variant of TimedChannel from Example 4.1 called TimedChannel2. The main difference 
between TimedChannel and TimedChannel2 is that the message queue in TimedChannel2 is 
implemented using a finite sequence of (message, delivery deadline) pairs queue and a 
pointer ptr that points to the next element that is to be delivered. Hence, the internal 
variables of TimedChannel2 consist of queue, now and ptr. The variable ptr initially has 
value 1, which indicates that it is pointing to the first element in the sequence. A send(m) 
action causes messages and deadlines to be added to the sequence as in TimedChannel. 
A receive (m) causes ptr to be incremented to make it point to the next element in the 
sequence instead of removing the first element. The stops when predicate tests if there is a 
packet in the queue with index greater than or equal to ptr and deadline equal to now. The 
automaton TimedChannel can be viewed as an optimized implementation of TimedChannel2. 

We define below a forward simulation R from TimedChannel to TimedChannel2. If x is 
a state of TimedChannel and y is a state of TimedChannel2, then x R y provided that the 
following conditions are satisfied: 

1. x(now) = y(now). 

2. x(queue) = y(queue)(y(ptr) .. . |y(queue)|). 

Here, we assume the sequence representation of queues and use the subsequence notation 
from Chapter 2 to denote the part of the queue that starts with the index ptr and ends 
with the index y(queue). □ 


Example 4.26 (Clock synchronization). In this example, we define a forward simulation 
from ClockSync of Fig. 8 to an automaton that sends multiples of u. The specification of 
this automaton, which is called SendVal is given in Fig. 9. We assume that the Index types 
in both automata are identical. The variable counter keeps track of which multiple of u 
is to be sent next, and variable now contains the current time. The automaton parameter 
r is used in the precondition of the send and the stopping condition of the trajectory 
definition, to enforce bounds on the times of occurrence of send. 

The following predicate defines a forward simulation R from automaton ClockSync to 
automaton SendVal: 

now * (1 — r) < physclock < now * (1 + r) A counter * u = nextsend > physclock. 
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Index ) 


automaton SendVal(u,r: Real, i: 
signature 

external send(m: Real), 

receive(m:Real, j: Index, const i: Index) where j / i 

states 

counter: discrete Real := 0, 
now: Real := 0, 
initially u>0A (0 < r < 1) 
transitions 

external send(m,i) 
pre 

m = counter * u A counter * u / (1 + r) < now 
eff 

counter := counter + 1 
external receive(m,j,i) 
trajectories 
stop when 

now = counter * u / (1 - r) 
evolve 

d(now) = 1 


Figure 9: Clock synchronization. 


Whereas automaton ClockSync is more intuitive as a specification, automaton SendVal is 
easier for analysis purposes, since its continuous dynamics is simpler. □ 


4.5.2 Refinements 

A refinement is a simple, special case of a forward simulation, often used in practice (see 
for instance [42, 43]), in which the relation between states of A and B is a partial function. 

Let A and B be comparable TAs. A refinement from A to B is a partial function F 
from Q .4 to Qg, satisfying the following conditions, for all states x _4 and xg of A and B, 
respectively: 

1. If x ^4 £ 0_4 then x ^4 £ dom(F) and F(x.X) £ &b- 

2. If a is an execution fragment of A consisting of one action surrounded by two 
point trajectories and a.fstate £ dom(F), then a.lstate £ dom(F) and B has a 
closed execution fragment /3 with (5.fstate = F(a.fstate), trace(fi) = trace(a), and 
fi.lstate = F (a.lstate). 
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3. If a is an execution fragment of A consisting of a single closed trajectory and 
a.fstate € dom(F), then a.lstate G dom(F) and B has a closed execution fragment 
f3 with (3./state = F(a.fstate), trace (fi) = trace (a), and (3.lstate = F(a.lstate). 

Note that, by a trivial inductive argument, the set of states for which F is defined contains 
all the reachable states of A (and is thus an invariant of this automaton). 

Theorem 4.27 Let A and B be two TAs and suppose R C Q 4 x Qg. Then R is a 
refinement from A to B if and only if R is a forward simulation from A to B and R is a 
partial function. 

The following theorem states a basic sanity property of refinements, namely closure 
under composition. 


Theorem 4.28 Let A, B and C be comparable TAs. If Ri is a refinement from A to B 
and R 2 is a refinement from B to C, then R 2 0 R\ is a refinement from A to C. 

A weak isomorphism from A to B is a refinement F from A to B such that F~ 1 is a 
refinement from B to A. We say that two automata A and B are weakly isomorphic , if 
there exists an isomorphism from A to B (or, equivalently from B to A). 

Example 4.29 (Refinements). In Example 4.24 we established a forward simulation 
between two instances of the TA in Fig. 2, TimedChanneKbl, M) and TimedChannel(b2, M) 
with bl < b2. It is not hard see that there also exists a refinement from TimedChannel(bl, 
M) to TimedCbannel (b2, M): just add b2 — bl to the deadline of each packet in the queue. 

In Example 4.26 we defined a forward simulation from automaton ClockSync to au¬ 
tomaton SendVal. In this case, however, there does not exist a refinement from ClockSync 
to SendVal if r > 0. The proof is by contradiction. Suppose that F is a refinement from 
ClockSync to SendVal. Then F maps the initial state of ClockSync to the initial state of 
SendVal. Since send actions can be simulated, the state sO of ClockSync with nextsend = u 
and physclock = 0 is mapped by F to the state of SendVal with counter = 1 and now = 0. 
Consider an outgoing trajectory of sO with positive limit time to a state si in which the 
physical clock runs maximally fast, and a trajectory with the same limit time to a state 
s2 in which the physical clock runs maximally slow. Since r > 0, si and s2 are distinct. 
By the transfer property for trajectories, both si and s2 are mapped onto the same state 
of SendVal. Now observe that there exists a trajectory with positive limite time from s2 
to si. This trajectory can not be simulated in SendVal, since in this automaton there are 
no nontrivial trajectories from a state to itself. Contradiction. □ 
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4.5.3 Backward Simulations 


Let A and B be comparable TAs. A backward simulation from A to B is a total relation 
R C 4 x Qb satisfying the following conditions, for all states x .4 and xg of A and B, 
respectively: 

1. If x _4 £ 0.4 and x .4 R xg then xg £ 0g. 

2 . If x .4 i? xg and a is an execution fragment of A with a.lstate = x. 4 , consisting of one 
discrete action surrounded by two point trajectories, then B has a closed execution 
fragment f) with (3.Istate = x#, trace(/3) = trace (a), and a. fstate R (3. fstate. 

3. If x .4 R xg and a is an execution fragment of A with a.lstate = x. 4 , consisting 
of one trajectory, then B has a closed execution fragment f3 with (3.Istate = xg, 
trace(/3) = trace (a), and a.fstate R (3. fstate. 

Backward simulations are closed under relational composition, and hence induce a 
preorder between timed automata. 

Theorem 4.30 Let A,B and C be comparable TAs. If Ri is a backward simulation from 
A to B and R 2 is a backward simulation B to C, then R 2 o R\ is a backward simulation 
from A to C. 

Theorem 4.31 Let A and B be comparable TAs and let R be a backward simulation from 
A to B. Let x .4 and xg be states of A and B, respectively, such that x .4 R xg. Let (3 
be the trace of a closed execution fragment of A from y .4 with last state x. 4 . Then there 
exists ys such that (3 is also the trace of a closed execution fragment of B from yg with 
last state xg and y .4 R y&. 

Proof: Fix some R, X 4 , xg and [3 satisfying the conditions in the statement of the 
theorem. Let a £ frags ^fy a) f° r some state y .4 of A with trace(a ) = (3 and a.lstate = x^. 
By using the Axioms T1 and T2, we can write a as the concatenation of a sequence of 
closed execution fragments, a = cco"" a\ ~ ... a n , where each is either a closed trajectory 
or an action surrounded by two point trajectories, ati.lstate = at+i.fstate for 0 < i < n — 1 , 
and a n .lstate = X 4 . 

By using the definition of a backward simulation, working backwards from a n , we can 
construct an execution fragment a' = ... a' n from a state y b of B such that (a) 

a'.Istate = xg, (b) for all i, 0 < i < n, ai.fstate R of .fstate and frace(a') = trace(ai), (c) 
for alii, 0 < i < n — 1, a[. Istate = a' i+l .fstate. Using Lemma 4.7, we can see that a' is an 
execution fragment of B. By Lemma 3.9, trace(a) = trace{a') as needed. □ 

The next corollary states that backward simulations constitute a sound technique for 
proving inclusion of closed traces between timed automata. 
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Corollary 4.32 Let A and B be comparable TAs and let R be a backward simulation from 
A to B. Then every closed trace of A is a trace of B. 

Proof: Suppose R is a backward simulation from A to B and (3 is a closed trace of A. 
Then (3 = trace(a) for some closed execution a of A. Let x_4 and be the first and 
last states of a respectively. By the totality of relation R , there exists some state y b of 
B such that y^ R yjg. By Theorem 4.31, there exists xg of B such that f3 is the trace of 
a closed execution fragment of B from xg with last state yg and x_4 R xg. Property 1 of 
the definition of a backward simulation relation implies that xg is a start state of B. It 
follows that [3 £ traces b, as needed. □ 

Image-finite backward simulations constitute a sound technique for proving inclusion 
of (all) traces between timed automata. 

Theorem 4.33 Let A and B be comparable TAs and let R be an image-finite backward 
simulation from A to B. Then traces a C traces g. 

Proof: Let (3 £ traces If (3 is closed then Corollary 4.32 implies that (3 is a trace of B. 
From now on we assume (3 is not closed. 

Let a £ execs^ with trace(a) = (3. Note that any such a is either an infinite sequence 
ro ai r\ ... or a finite sequence tq a\ t\ ... r n where the final trajectory r n is right open. In 
either case, using the Axioms T1 and T2, we can construct an infinite sequence ao«i 
of closed execution fragments such that a = ao ^ a\ ^ ... where 07 is a point trajectory, 
each a t is either a closed trajectory or an action surrounded by two point trajectories, and 
ai.lstate = cti + i.fstate for each i, 0 < i. 

We construct a directed graph G whose nodes are pairs (x, i) consisting of a state of 
B and an index such that (ai.lstate, x) £i?. In G, there is an edge from (x, i) to (x',j) 
exactly if j = i + 1 and there is an a! £ frags B (x) with trace(a') = trace (c7 + i) such that 
a'.Istate = x'. By image-finiteness of R and the definition of the edge set, each node has 
finite outdegree. By using the definition of a backward simulation and the edge set of G, 
we can show that each node (x, i) is reachable from some root node (z, 0) for some start 
state z of B. Since R is image-finite there are finitely many roots of G. 

The directed graph G satisfies the hypotheses of Lemma 2.3, which implies that there 
is an infinite path in G starting from a root. An edge from a node (x, i) to (x 7 , i + 1) 
along this infinite path corresponds to a closed execution fragment 7^44 of B for i, 0 < i 
such that - )i + \.fstate = x, 7^+1 .Istate = x' and tracefri+i) = trace(a^i). By Lemma 4.7, 
7 = 71^72 ^-.. is an execution of B and by Lemma 3.9, trace( 7) = trace( 71)^ traced) ■ ■ ■■ 
Since tracefri + \) = trace(a.i + 1) for all i, 0 < i, and 07 is a point trajectory, by Lemma 3.9, 
we get trace (7) = trace(a) = (3. □ 

Example 4.34 (A backward simulation relation). This example illustrates the difference 
between forward and backward simulations. We consider two automata A and B and 
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show that a forward simulation from A to B does not exist while we exhibit a backward 
simulation from A to B. 

Let A and B be two comparable automata specified below. The trajectories consist of 
a set of point trajectories. This implies that the automaton does not allow time to pass 
— everything happens at time 0 . 

• X A = {stateA} and Xg = {stateB} where: 

stateA is a discrete variable with type(stateA) = {x Al UA, QA, A4}> and 
stateB is a discrete variable with type(stateB) = {xb, y B , y' B , q B , s B }. 

• Qa = val{X_ 4 ) and Qb = val(Xjg). We write x _4 for the valuation that maps stateA 
to xa, y A for the valuation that maps stateA to 4 , etc. Similarly, we write xg for 
the valuation that maps stateB to x B , yg for the valuation that maps stateB to y B , 
etc. 

• &A = { x t} and = {x B }. 

• E_a = E b = {a, b, c} and H A = H B = 0. 

• E> a = {(x^, a, y A ), (y A , b, cu), (y. 4 , c, s^)}, and 

E>b = {(xb, a, y B ), (x B , a, y' B ), (y B , b , q B ), (y B , c, s B )}. 

• T a = (p(v) I v <E Qa}, and T B = (p(v) | v G Q B }. 

Fig. 10 displays automata A and B as directed multigraphs. The nodes in the graph 
represent states and the edges represent discrete transitions where a label on an edge 
stands for the action involved in the transition. 


b 



A 


B 


Figure 10: Difference between forward and backward simulations. 


An obvious candidate for a forward simulation from A to B is the relation 


R = {(x* 4 ,x b ), (y A ,ys), (y_4,y B ), (qu,qB), (s^,s B )}. 

However, observe that even though y _4 and y B are related by R, the execution fragment 
p(y A ) c p(s_ 4 ) of A cannot be matched by any execution fragment of B starting with 
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state y B . Similarly, even though y_q and y^ are related by R, the execution fragment 
p(y A ) b p(q_q) of A cannot be matched by any execution fragment of B starting with y'g. 
Therefore, R is not a forward simulation. In fact, there is no forward simulation relation 
from A to B: there are finitely many possibilities for forward simulations from A to B and 
we see that none of them is a forward simulation by examining all the possibilities. The 
main reason for this is that while A makes the nondeterministic choice between performing 
b or c after performing a, B makes its choice earlier at the same time it performs a. 

There is, however, a backward simulation from A to B: the relation R defined above 
is a backward simulation. □ 


4.5.4 History Relations 

A relation R C Q 4 x Q B is a history relation from A to B if R is a forward simulation 
from A to B and R^ 1 is a refinement from B to A. History relations induce a preorder 
between timed automata. 

An automaton B is obtained from an automaton A by adding history variables if there 
exists a set of variables X such that 

1. X B = X A UX and X A n X = 0, 

2. Qb\X a C Q a , and 

3. relation {(x, y) | y £ Q B and y [ X A = x} is a history relation from A to B. 

The method of adding history variables is typically used to make it possible to establish 
an implementation relationship using a refinement. If a refinement does not exist from a 
low-level automaton to a higher-level one, it can often be made to exist by adding history 
variables to the low-level automaton. 

Example 4.35 (Adding history variables to obtain a refinement). We cannot show 
that TimedChannel is an implementation of TimedChannel2 from Example 4.25 by using a 
refinement. This is because we have no way of specifying what the subsequence before the 
pointer should be in TimedChannel2 when relating the states of the two automata. This 
example shows how we can add history variables to TimedChannel (actually, we add just 
one variable) to obtain a new automaton that is related to TimedChannel2 by a refinement. 

Let log be a discrete variable whose static type is the same as the static type of queue 
in TimedChannel and let the initial value of log be the empty sequence. We define a new au¬ 
tomaton TimedChannelH whose set of variables consists of the variables of TimedChannel and 
the variable log. The rest of the definition of TimedChannelH is the same as TimedChannel 
except for the transition definition for receive (m). A receive (m) event in TimedChannelH 
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not only removes the first message from the message queue but also appends this message 
to the sequence contained in log. 

Let X\. X 2 be the set of variables and Q 1 , Q 2 be the set of states of TimedChannel 
and TimedChannelH respectively. It is easy to verify that the relation {(x, y) | y € 
Q 2 and y [ X\ = x} is a history relation from TimedChannel to TimedChannelH. This means 
that TimedChannelH is obtained from TimedChannel by adding a history variable. 

We now define a refinement F from TimedChannelH to TimedChannel2 as follows. In our 
definition we assume the following conventions. Concatenation on the left corresponds to 
putting an element on the front of a queue. Recall also that we use juxtaposition for con¬ 
catenation of sequences. If x is a state of TimedChannelH and y is a state of TimedChannel2, 
then F(x) = y where: 

1. y(now) = x(now). 

2. y(queue) = x(log) ~ x(queue). 

3. y(ptr) = |x(log)| + 1. D 

Whenever an automaton B is obtained from A by adding history variables, then there 
exists a history relation from A to B by definition. Theorem 4.36 states that the converse 
also holds, if weakly isomorphic automata are considered. 

Theorem 4.36 Let A and B be two comparable 
relation from A to B. Then, there exists a TA C 
obtained from A by adding history variables. 

Proof: Assume, without loss of generality, that 
history relation from A to B. Define automaton C 

• Xq = X A U X b . 

• Qc = {x <5 val(X c ) I (x I" X A , x I" X B ) G R}. 

• ©c = { x G Qc | x |" X B G 0g}. 

• Eq = E B and Hq = H B . 

• x A c y if and only if x \X B ~^ B y [ X B . 

• T c = {t G trajs(Qc) \ t \X B G T B }. 

Let F : Qc —> Q B be the projection function such that F(x) = x [ X B for all x G Qc- 
It is easy to check that I 7 is a weak isomorphism from C to B. We verify that C is obtained 
from A by adding history variables. Let X B be the variable set X required in the definition 
of a history variable and let R'= {(x, y) | y G Qc A y [ X A = x}. We need to show that 
R' is a history relation from A to C. 


TAs. Suppose that there is a history 
that is weakly isomorphic to B and is 

X A and X B are disjoint. Let R be a 
as follows: 


54 



1. R' is a forward simulation from A to C. 

By definitions of the relations F , R' and the automaton C, R' = F o R. Since F~ 1 
is a refinement from B to C, by Theorem 4.27, we know that it is a forward simulation 
from B to C. Since R is a forward simulation from A to B, by Theorem 4.20 we have 
R' is a forward simulation from A to C, as needed. 

2 . R! 1 is a refinement from C to A. 

We use that R' 1 = R~ l o F. Since F is a refinement from C to B and R~ l is a 
refinement from B to A, by Theorem 4.28, we have R' 1 is a refinement from C to 
A, as needed. □ 

In the untimed case, forward simulations are essentially the same as history relations 
(or variables) combined with refinements [44, Theorem 5.8]. Clearly, since history relations 
and refinements are both special cases of forward simulations, and since forward simula¬ 
tions compose, forward simulations are at least as powerful as arbitrary combinations of 
history relations and refinements. Conversely, if there is a forward simulation from A to 
B then there exists an automaton C with a history relation from A to C and a refinement 
from C to B. In [9] a corresponding result is claimed for timed automata (Theorem 7.8), 
but the proof turns out to be flawed. Example 7.13 of [9] constitutes a counterexample to 
Theorem 7.8 of [9]. Below, we have translated the example to the setting of this paper. 

Example 4.37 (Forward simulations more powerful than combination history relations 
and refinements). Consider the automata A and B specified in Figure 11. The two automa¬ 
ton definitions are very similar. Whereas in A an a-action is enabled when init = true 
and the value of now is a rational number, in B an a-action is enabled when init = true 
and the value of now is an integer. Whereas automaton A has a perfect clock with rate 1, 
automaton B measures time with a clock that may run either too slow or too fast, in an 
arbitrary fashion. 

It is easy to check that the predicate 

natural(B.now) A A.init = B.init 

determines a forward simulation from A to B. However, there does not exists a timed 
automaton C with a history relation from A to C and a refinement from C to B. The proof 
is by contradiction: suppose C is such a timed automaton. Let xo be a start state of C, let 
F be a history relation from A to C, and let R be a refinement from C to B. Then, by the 
start condition of a history relation, the start state (0, true) of A is related to xo by F. By 
the start condition of a refinement, R maps xo to the start state (0, true) of B. Since in 
A there is a trajectory with limit time 1 from (0,true) to (l,true), the transfer property 
for F gives that in C there is a trajectory r with limit time 1 from xo to some state xi 
that is related by F to (l,true). Next, the transfer property for R gives that in B there 
is a trajectory with limit time 1 from ( 0 , true) to state -R(xi) = (f, true), for some t > 0 . 
Since state (l,true) in A enables an a-action, xi enables an execution fragment in which 
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automaton A 
signature 

external a 
states 

init: Bool := true, 
now: Real := 0 
transitions 
external a 
pre 

init A rational(now) 
eff 

init := false 
trajectories 
evolve 

d(now) = 1 


automaton B 
signature 
external a 
states 

init: Bool := true, 
now: Real := 0 
transitions 
external a 
pre 

init A integer(now) 
eff 

init := false 
trajectories 
evolve 

d(now) > 0 


Figure 11: The power of forward simulations. 


an a-action takes place within 0 time. Since xi is mapped by R to (t, true), it follows by 
the transfer property for R that t in fact equals some natural number n > 0. By Axioms 
T1 and T2, we can write r as the concatenation tq t\ ■ ■ ■ r n of n + 1 trajectories that all 
have limit time Using the fact that F is a history relation and the limit times of the 
trajectories r* are rational, we may infer that the last state of each trajectory r* enables an 
execution fragment in which an a-action takes place within 0 time. Using the fact that R 
is a refinement, we may infer that there is a trajectory in B from (0, true) to (n, true) on 
which there are at least n + 2 states (including the first and last state) in which an a-action 
is enabled. This contradicts the fact that in B actions a are only enabled at integer times, 
which implies that there are only n + 1 such states on any trajectory from (0, true) to 
(n, true). □ 


4.5.5 Prophecy Relations 

A relation R C Q 4 x Qg is a prophecy relation from A to B if R is a backward simulation 
from A to B and R~ l is a refinement from B to A. Prophecy relations induce a preorder 
between timed automata. 

An automaton B is obtained from an automaton A by adding prophecy variables if 
there exists a set of variables X such that 


1. X B = X A UX and X A n X = 0, 

2. Qb[X a C Q a , and 
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3. relation {(x, y) | y £ Q& and y [ X A = x} is a prophecy relation from A to B. 


Example 4.38 (Adding prophecy variables to obtain a refinement). We consider adding 
a prophecy variable to the automaton A from Example 4.34. Let C be the automaton 
defined as follows: 


• Xc = X A U {f} where v is a discrete variable with type(v ) = {b, c}. 

• Qc = {x c ,x^,y c ,y^,q c ,s c } such that 

xc \ X A = x^ and x c (u) = b 
x(, \ X A = x. A and x' c (v) = c 
yC [ X A = y A and y c (v) = b 
y c r = y A and y' c (v) = c 
qc r X A = q^l and q c (u) = b 
sc [ X A = s^ and s c (v) = c 

• ©c = {x c .x’ c }. 

• Eq = {a, b , c} and Hq = 0. 

• V c = {(x c , a, y c ), (x' c ,a, y' c ), (yc,b,q c ), (y' c ,c,s c )}. 

• Tc = (p(v) | v € Qc}. 

Fig. 12 displays automata A and C as directed multipgraphs. 



b 

-qc 


c 

Sc 


A 


c 


Figure 12: A prophecy variable. 

Relation R= {(x. 4 , x c ), (x^, x^), (y^, y c ), (y. 4 , y' c ), (q^, qc), (s A , s c )} is a backward 
simulation from A to C and AT 1 is a refinement. Therefore, C is obtained by adding a 
prophecy variable to A. Note that there is no refinement from A to B defined in Exam¬ 
ple 4.34. However, relation F = {(x c , x B ), (x' c , x e ), (y c , y B ), (y' c , y' B ), (qc, qs), (sc, s B )} 
is a refinement from C to B. □ 
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Theorem 4.39 Let A and B be two comparable TAs such that V 4 and V& are disjoint. 
Suppose that there is a prophecy relation from A to B. Then, there exists an automaton 
C that is isomorphic to B and is obtained from A by adding prophecy variables. 

Proof: The proof is analogous to the proof of Theorem 4.36. We assume a backward 
simulation relation R instead of a forward simulation relation. We construct the automaton 
C as in Theorem 4.36 and verify that it is obtained from A by adding a prophecy variable. 
□ 
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5 Operations on Timed Automata 


In this chapter we introduce three kinds of operations on timed automata: parallel com¬ 
position, hiding, and adding lower and upper bounds for tasks. 

5.1 Composition 

The composition operation for timed automata allows an automaton representing a com¬ 
plex system to be constructed by composing automata representing individual system 
components. Our composition operation identifies external actions with the same name 
in different component automata. When any component automaton performs a discrete 
step involving an action a, so do all component automata that have a as an external ac¬ 
tion. The composition operator for timed automata is simpler than it is for general hybrid 
automata since all the variables in a timed automaton are internal. 2 All the proofs of this 
section are as in [6], with simplifications due to the absence of external variables. 

5.1.1 Definitions and Basic Results 

Formally, we say that timed automata A\ and A 2 are compatible if H\ f! A 2 = H 2 D A\ = 0 
and X\ D X 2 = 0. If Ai and A 2 are compatible then their composition A 1 11A 2 is defined 
to be the structure A = (X , Q, 0, E, H , V , T) where 

• X = XiU X 2 . 

• Q = {x € val(X) | x I" Xt G Qi, i G {1, 2}}. 

• 0 = {x G Q | x \Xi G @i, i G {1,2}}. 

• E = Ei U E 2 and H = H\ U H 2 - 

• For each x,x' £ Q and each a G A, x — >^4 x' iff for i G {1, 2}, either (1) a G A t and 
x\ Xi A x! |" Xi, or ( 2 ) a ^ Ai and x \ Xi = x r \ Aj. 

• T C trajs(Q) is given by r G T r J, Xi G %, i G {1,2}. 

Theorem 5.1 If Ai and A 2 are timed automata then Ai || A 2 is a timed automaton. 

The following “projection lemma” says that execution fragments of a composition of 
timed automata project to give executions fragments of the component automata. More¬ 
over, certain properties of the fragments of the composition imply, or are implied by, 
similar properties for the component fragments. 

2 The composition operation for general hybrid automata requires external variables to be identiRed as 
well as external actions. When any component automaton follows a particular trajectory for an external 
variable v, then so do all component automata of which v is an external variable. 
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Lemma 5.2 Let A = *Ai 11 - 4.2 and let « be an execution fragment of A. Then a |~(^4i,Xl) 
and a \(A 2 , X 2 ) are execution fragments of A\ and A 2 , respectively. Furthermore, 

1 . a is time-bounded iff both a |~(Ti,Xl) and a \{A 2 ,Xf) are time-bounded. 

2. a is admissible iff both a \(A\,Xi) and a [(^ 2 ,^ 2 ) are admissible. 

3. a is closed iff both a |~(^4i,Xi) and a \{A 2 ,Xf) are closed. 

4■ a is non-Zeno iff both a \{A\,Xi) and a \{A 2 ,Xf) are non-Zeno. 

5. a is an execution iff both a |~(t1i,Xi) and a f(^ 2 ,-^ 2 ) are executions. 

The following lemma says that we obtain the same result for an execution fragment a 
of a composition if we first extract the trace and then restrict to one of the components, 
or if we first restrict to the component and then take the trace. 

Lemma 5.3 Let A = * 4 i||. 4 . 2 , and let a be an execution fragment of A. Then, fori = 1,2, 
trace (a) [(£.;, 0) = trace (a \(Ai,Xi)). 

The following theorem is a fundamental result that relates the set of traces of a com¬ 
posed automaton to the sets of traces of its components. Set inclusion in one direction 
expresses the idea that a trace of a composition “projects” to yield traces of the compo¬ 
nents. Set inclusion in the other direction expresses the idea that traces of components 
can be “pasted” to yield a trace of the composition. 

Theorem 5.4 Let A = ||^ 4-2 - Then traces a is exactly the set of (£, 0)- sequences whose 

restrictions to Ai and A 2 are traces of A\ and A 2 , respectively. 

That is, traces a = {/3 \ /3 is an (£, 0)- sequence and /3 |~(£j,0) € traces ^,i € {1,2}}. 


Notation: The compatibility conditions for composition require the set of internal vari¬ 
ables of each automaton to be disjoint from the set of internal variables of all the other 
automata in the composition. We use a general scheme to disambiguate the internal 
variables of components in order to avoid possible name clashes that can violate the com¬ 
patibility conditions. If A is the name of an automaton and v is an internal variable of A, 
then we refer to this variable as A.v in the composite automaton. But if no confusion is 
possible, we write v rather than A.v. 

Example 5.5 (Periodic sending process with timeouts). Let C be the composition of 
three automata from Examples 4.1, 4.2 and 4.4: 

C = PeriodicSend II TimedChannel II Timeout 
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where M = {ml,..., mn} and b + ul < u 2 . In a setting where b < ul, the following sequence 
is a trace of C : 


a = ul send(ml) b receive(ml) ul — b send(m2) b receive(m2) ul — b ... 

where t denotes the trace with as domain [0, t] and as range the set consisting of the 
function with the empty domain. The following invariant states that C never performs a 
timeout action. 

Invariant 1: In any reachable state x of C, x(suspected) = false. 

In order to prove this invariant we can use auxiliary invariants for the component 
automata, such as the one established in Example 4.11, and an auxiliary global invariant 
such as the one below, which establishes the fact that every message is delivered before 
the variable Timeout. clock reaches the point at which a timeout action occurs. 

Invariant 2: In any reachable state x of C, 

1 . if x(queue) is not empty then there is a packet p such that 

p 6 x(queue) and p.deadline — x(now) < u2 — x(Timeout. clock). 

2 . if x(queue) is empty then 

ul — x(PeriodicSend. clock) + b < u2 — x(Timeout. clock). □ 


Example 5.6 (Periodic sending process with failures and timeouts). In this example, we 
consider a composite automaton defined exactly like the one in Example 5.5 except that 
the automaton PeriodicSend is replaced with PeriodicSend2, the periodic sending process 
with failures. Let C = PeriodicSend2 || TimedChannel || Timeout. The following sequence 
is a trace of C: 


ul send (ml) b receive (ml) b fail u2 — b timeout oo. 

According to this sample trace, the first message sent by the periodic sending process is 
received exactly b time units after it is sent. The periodic sending process fails 2 x b time 
units after sending its first message. The timeout process performs a timeout since no 
second message arrives within the next u2 time units after the receipt of the first message. 

The following invariant states that a timeout performed by C can be used to conclude 
that the sender process has failed. We assume again that b + ul < u2. 

Invariant 1: In any reachable state x of C, 

x(Timeout. suspected) => x(PeriodicSend2 . failed). 
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The automaton C is guaranteed to perform a timeout to signal the failure of a process, 
within a specified amount of time after the occurrence of a fail event. The following is a 
formal statement of this property. 

Let a be an admissible execution of C in which a fail event occurs. Let t be the point 
in time at which the first fail event occurs in a. Then a timeout event occurs in a in the 
interval [t + u2 - ul, t + b + u2], □ 

Example 5.7 (Clock synchronization). In this example we consider the composition 
of three clock synchronization automata with six time-bounded channel automata. A 
graphical representation of the composite automaton is given in Fig. 13. The abbreviation 



Figure 13: Clock synchronization network. 

CSi represents the automaton ClockSync from Example 4.6. The abbreviation TCij 
represents the automaton TimedChannel from Example 4.1, the time-bounded channel with 
maximum delay b, but with the send(m) and receive(m) actions renamed to send(m,i) 
and receive(m,i, j), respectively, to enable communication of real-valued messages from 
ClockSync to ClockSync. Let 

C = CS1 II CS 2 II CS 3 || TC 1,2 II TC 2 ,i || TC h3 || TC 3 ,i || TC 2 , 3 || TC 3 , 2 . 

A physical clock diverges from real time at the largest rate when it evolves with rate (l + 
r) or (l - r). For example, if a physical clock evolves with rate 1 + r, then at time t, its 


62 



value is t x (1 + r). Hence, the largest possible difference between a physical clock and 
the real time is (t x r). This property is stated by the invariant below. 

Invariant 1: In any reachable state x of C, at any time t G T, for any i G {1,2,3}, 
|x(CiSj.physclock) — t\ < t X r. 

Two physical clocks in C diverge at the largest rate when one evolves with rate (l + 
r) and the other with (l - r). It follows from Invariant 1 that, at any time t the largest 
possible difference between the physical clock values for two processes is 2 x t x r. This 
property is formalized by the following invariant. 

Invariant 2: In any reachable state x of C, at any time f 6 T, for any i,j G {1, 2, 3}, 
^(CS'j.pliysclock) — x(C , S'j.physclock)| < 2 X t X r. 

The following invariant states that in any reachable state there exists a process j such 
that the logical clock of each other process in the system is smaller than or equal to the 
physical clock of j. This follows from the definition of a logical clock and the fact that 
physical clocks always increase. 

Invariant 3: In any reachable state x of C, there exists j G {1,2,3} such that for all 
i G {1,2,3}, x(C'S'j.logclock) < x.(CSj .physclock). 

The following invariant states that in any reachable state there exists a process j such 
that the logical clock of each other process in the system is larger than or equal to the 
physical clock of j. This follows from the definition of a logical clock. 

Invariant 4: In any reachable state x of C, there exists j G {1, 2, 3} such that for all 
i G {1,2,3}, x((75'j.logclock) > x.(CSj .physclock). 

Invariants 3 and 4 together are called validity properties. They express the condition 
that all the logical clocks remain in an envelope bounded by the maximum and minimum 
physical clock values in the system. The following invariant formalizes the property that 
all the logical clocks at a given time he within the envelope formed by the largest and the 
smallest physical clock values in the system. It follows from Invariants 1, 3 and 4 that any 
point in this envelope can diverge from real time t by at most txr time units. 

Invariant 5: In any reachable state x of C, at any time f G T, for any i G {1,2,3}, 
^(CiSj.logclock) — t\ < t X r. 

Finally, we state a property about the agreement of logical clocks in C. It says that 
the difference between two logical clocks is always bounded by a constant (which depends 
on the message-sending interval and the bounds on clock drift and message delay). 

Invariant 6: In any reachable state x of C, for all i,j G {1, 2, 3}, 

^(CiSj.logclock) — x(Ci5j.logclock)| < u + (b X (1 + r)). 
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To see why Invariant 6 holds, fix j to be a process with the largest physical clock in x, 
and fix i to be any other process. Let Vj, ry be the logical clock values of j and i respectively 
in state x. Note that Vj is also the physical clock value of j in x. By Invariant 3, we know 
that Vi < Vj. To show Invariant 6 , it suffices to show that Vj — Vi < u + (b x (1 + r)). 

Let a be a finite execution that leads to state x. There are two cases to consider. 

1. Some message sent by j arrives at i in a. 

Consider the last such message and let v\ be the value that it contains. Let v 2 be 
the newly adjusted logical clock value of i immediately after the message arrives. 
We know that v l > V2 > v \. 

If j sends a later message to i in a, then it sends the next later message when its 
physical clock has value v\ + u. By assumption, this message does not arrive at i. 
Therefore, the real time that elapses after sending it must be at most b. It follows 
that the physical clock increase of j since sending this message is at most b x (1 +r) 
and so vj < v\ + u + b x (1 + r). On the other hand, if j does not send a later message 
to i in a, then Vj < v\ + u. In either case, we have Vj < v\ + u + b X (1 + r). Since 
Vi > vi, we have Vj — Vi < u + b X (1 + r), as needed for Invariant 6 . 

2. No message sent by j arrives at i in a. 

Since the first send occurs at time 0 and b is the largest possible communication 
delay, the fact that i has not received the first message sent by j at time 0 implies 
that t < b. Since both clocks start at 0, we have Vj < b X (1 + r) and Vi > 0. 
Therefore, Vj — Vi < u + b X (1 + r), which suffices for Invariant 6. □ 


5.1.2 Substitutivity Results 

Theorem 5.4, which relates the set of traces of a composed automaton to the set of traces 
of component automata, is fundamental for compositional reasoning. We now introduce 
another important class of results, substitutivity results, that are useful for decomposing 
verification of composite automata. These results are best understood by viewing one of 
the components of a composition as the system and the other as the environment with 
which the system interacts. 

The following result states that if a TA A\ can be shown to implement another one 
A‘ 2 -, with no assumptions about their environments, then A\ can be shown to implement 
A 2 in a given environment B. 

Theorem 5.8 Suppose A \. A 2 and B are TAs, A\ and A 2 have the same external actions, 
and each of A\ and A 2 is compatible with B. If A\ < A 2 then Al||£> < ^H^- 

Commutativity of the composition operation together with repeated application of 
Theorem 5.8 gives the following corollary. 
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Corollary 5.9 Suppose A\, A 2 , £> 1 , and B 2 are TAs, A\ and A 2 have the same external 
actions, B\ and £>2 have the same external actions, and each of A\ and A 2 is compatible 
with each of B\ and B 2 - If Ai < A 2 and B\ < B 2 then 4i||£>i < 4 . 2 1| # 2 - 

We can strengthen Corollary 5.9 slightly by the following corollary: if A\ implements 
A 2 in an environment B 2 , then A\ composed with an environment that is more restrictive 
than £>2 (whose set of external behaviors is smaller than that of £> 2 ), implements A 2 
composed with B 2 - 

Corollary 5.10 Suppose Ai, A 2 , £> 1 , and B 2 are TAs, A\ and A 2 have the same external 
actions, B\ and £>2 have the same external actions, and each of A\ and A 2 is compatible 
with each of B\ and £> 2 . If A 1 WB 2 < A 2 WB 2 and B\ < B 2 then 4i||13i < -42||£?2- 

Proof: Let /3 £ traces Ai\\Bx- By Theorem 5.4, f3 |"(£'^ 1 ,0) £ traces ^ and (3 |"(£ , g 1 ,0) £ 
tracesi 3 1 . Since B\ < £> 2 , (3 |"(£'e 1 ,0) £ tracesjs 2 • Since B 1 and £>2 have the same exter¬ 
nal actions, it follows that (3\ "(£’e 2 ,0) £ traces g 2 . We have /3|"(£'^ 1 ,0) £ traces ^ and 
/3 |~(£'b 2 ,0) £ traces^ 2 . By Theorem 5.4, (3 £ traces^ ||g 2 . Since yli||02 < ^2 11 £?2 by 
assumption, (3 £ traces ||g 2 , as needed. □ 

For other preorders, we also get substitutivity results, for example: 

Theorem 5.11 Suppose A\, A 2 and B are TAs, A\ and A 2 have the same external 
actions, and each of A 1 and A 2 is compatible with B. 

1 . If every closed trace of A\ is a trace of A 2 then every closed trace of A\\\B is a trace 
ofA 2 \\B. 

2 . If every admissible trace of A\ is a trace of A 2 then every admissible trace of Ai\\B 
is a trace of A 2 WB. 

3. If every non-Zeno trace of A\ is a trace of A 2 then every non-Zeno trace of A\\\B 
is a trace of A 2 WB. 


Example 5.12 (A counterexample for a desirable substitutivity theorem). 

Suppose Ai and .4.2 have the same external actions, B\ and £>2 have the same external 
actions, and that each of .4i and A 2 is compatible with each of B\ and £> 2 - If we view 
A 2 and £>2 as specifications and want to prove that .4i||£>i < A 2 WB 2 , it would be useful to 
have a theorem that says if .4 i||£?2 < -4.211 ^2 and -4211 < -4211 £?2 then 4i||£>i < AffB 2 - 

That is, if A\ implements A 2 in the context of £>2 and B\ implements B 2 in the context 
of A 2 , we would like to conclude that 4i||I5i implements -42||£>2- We show by means of 
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automaton CatchUpA 
signature 

external a, b 
states 

counta: Nat := 0, countb: Nat := 0, 
now: Real := 0, next: discrete Real := 0 
transitions 

b 

:= countb + 1; 
now + 1 

eff 

counta := counta + 1; 
next := now + 1 
trajectories 
stop when 

now = next 
evolve 

d(now) = 1 


external a 
pre 

(counta < countb) 
A (now = next ) 


external 

eff 

countb 
next : = 


automaton CatchUpB 
signature 

external a, b 
states 

counta: Nat := 0, countb: Nat := 0, 
now: Real := 0, next: discrete Real 
transitions 
external a 
eff 

counta := counta + 1 
next := now + 1 


trajectories 
stop when 

now = next 
evolve 

d(now) = 1 


:= 0 


external b 
pre 

(countb 
A now 

eff 

countb 
next := 


+ 1) < counta 
= next 

= countb + 1; 
now + 1 


Figure 14: CatchUpA and CatchUpB. 
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automaton BoundedAlternateA 
signature 

external a, b 
states 

myturn: Bool := true, 
maxout: Nat 
transitions 

external a external b 

pre eff 

myturn A (maxout > 0) myturn := true 

eff 

myturn := false; 
maxout := maxout - 1 


automaton BoundedAlternateB 
signature 

external a, b 
states 

myturn: Bool := false, 
maxout: Nat 
transitions 
external a 
eff 

myturn := true 


external b 
pre 

myturn 

eff 

myturn 

maxout 


A (maxout 

:= false; 
:= maxout 


> 0 ) 

- 1 


Figure 15: BoundedAlternateA and BoundedAlternateB. 


a counterexample that it is impossible to prove such a theorem. The problem arises with 
the infinite behaviors of Ai||£> 2 - 

As examples for Ai,Bi,A 2 , and £> 2 , consider, respectively, the automata CatchUpA, 
CatchUpB, BoundedAlternateA, BoundedAlternateB in Figs. 14 and 15. All automata have 
the same set of actions, consisting of the external actions a and b. CatchUpA can perform 
an arbitrary number of b actions, and can perform an a provided that counta < countb 
and one time unit has elapsed since the occurrence of the last action. CatchUpA allows 
counta to increase to one more than countb. CatchUpB can perform an arbitrary number 
of a actions, and can perform a b provided that counta is at least one more than countb. 
CatchUpB allows countb to reach counta. 

BoundedAlternateA has an infinite number of start states, each giving a different finite 
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bound on the number of a actions it can perform. Similarly, BoundedAlternateB has an 
infinite number of start states, each giving a different finite bound on the number of b 
actions it can perform. Note that the absence of trajectory definitions in the specifications 
of these automata imply that they are timing-independent. That is, there is no constraint 
on the timing of actions. 

The automata CatchUpA and CatchUpB strictly alternate a’s and b’s until a maxi¬ 
mum count is reached, when put in the context of, respectively, BoundedAlternateA and 
BoundedAlternateB. Hence, on the one hand 

(CatchUpA || BoundedAlternateB) < (BoundedAlternateA)(BoundedAlternateB), 


and 


(BoundedAlternateA11CatchUpB) < (BoundedAlternateA)(BoundedAlternateB). 

On the other hand, (CatchUpA||CatchUpB) can perform an infinite sequence of alternating 
a and b actions, which is not allowed allowed by (BoundedAlternateAj)BoundedAlternateB). 
Hence, (CatchUpA||CatchUpB) does not implement (BoundedAlternateA||BoundedAlternateB). 
□ 


In Chapter 7, we revisit the substitutivity issue and prove Theorem 7.8, a variant of 
the desirable theorem considered in the above example, by assuming certain conditions on 
the environments A 2 and £> 2 . 

5.2 Hiding 

We now define an operation that “hides” external actions of a timed automaton by re¬ 
classifying them as internal actions. This prevents them from being used for further 
communication and means that they are no longer included in traces. The operation is 
parametrized by a set of external actions: If A is a timed automaton E C E. 4 , then 
ActHide(U, *4.) is the timed automaton B that is equal to A except that E$ = E .4 — E and 
Hg = H 4 U E. 

Lemma 5.13 If E C E^ then ActHide(if, A) is a TA. 

The following lemma characterizes the traces of the automaton that results from ap¬ 
plying a hiding operation. 

Lemma 5.14 If A is a TA and E C E^ then traces ActHide(£,„4) = {P \{Ea ~ E, 0) | (3 G 
traces a}. 

Using Lemma 5.14, it is straightforward to establish that the hiding operation respects 
the implementation relation. 
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Theorem 5.15 Suppose A and B are TAs with A < B, and suppose E C E^. Then 
ActHide(.E, A) < ActHide(E, B). 


Example 5.16 (Clock and manager). Consider a simple system consisting of a “clock” 
and a “manager”. The clock ticks once every [cl, c2] time units and the manager issues a 
“grant” within b time units after counting k > 0 ticks. We assume 0 < b < cl < c2. The 
problem is to prove upper and lower bounds on the time between successive grant actions. 


Figure 16 gives a formal specification of the clock in terms of the TA Clock(cl, c2) 
and the manager in terms of the TA Manager(k, b). The full system with the tick actions 
hidden can be defined by 

System = ActHide({tick}, Clock||Manager) 

Consider the automaton Specification displayed in Figure 17. This automaton is equal 
to Clock, except for some renamings. We claim that the manager issues a grant once every 
[cl * k — b, c2 * k + b] time units. An equivalent formulation of this claim is: 

System < Specif ication(cl * k — b, c2 * k + b) 

In order to prove the claim, one may first establish that the predicate 

Inv = 0 < x < c2 A (count = 0=>x = y<b)A0< count < k 

defines an invariant of System, and use this to verify that the conjunction of Inv and 

cl * (k — count) — b < z — x < c2 * (k — count) 

defines a forward simulation from System to Specif ication(cl * k — b, c2 * k + b). □ 


5.3 Extending Timed Automata with Bounds 

In this section, we define a new class of automata, “TA with bounds” where the basic 
definition of a timed automaton is extended with the notion of a task and a pair of bounds 
(a lower and an upper bound) for each task. We then define an operation that transforms 
a given TA with bounds to another TA. This operation supports specifying a system by 
thinking in terms of tasks and bounds as in the timed automata of Merritt et al. [7] and 
the phase transition systems of Maler et al. [12], 

In defining the operation for extending timed automata with bounds, we restrict atten¬ 
tion to a class of automata where the enabling and disabling of actions during trajectories 
follow certain rules. Specifically, our operation is defined on automata in which each action 
is enabled or disabled throughout an entire trajectory, or becomes enabled once during a 
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automaton Clock ( cl, c2 : Real) 
signature 

external tick 
states 

x: Real := 0 

initially 0 < cl A cl < c2 
transitions 

external tick 
pre 

x > c 1 
eff 

x := 0 

trajectories 
stop when 
x = c2 
evolve 

d(x) = 1 


automaton Manager (k: Int , b: Real) 
signature 

external tick, grant 
states 

y: Real : = 0 , 
count : Int := k 
initially b > 0 A k > 0 
transitions 

external tick 
eff 

count := count - 1; 
if count = 0 then y := 0 
external grant 
pre 

count = 0 
eff 

count := k 
trajectories 
stop when 

count = 0 A y = b 
evolve 

d(y) = 1 


Figure 16: Automata Clock and Manager. 


trajectory and remains so until the end of that trajectory. The given restrictions ensure 
that the result of applying the operation to a TA is another TA and that the resulting TA 
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automaton Spe c if i cat i on ( lb , ub : Real) 
signature 

external grant 
states 

z : Real := 0 

initially 0 < lb A lb < ub 
transitions 

external grant 
pre 

z > lb 
eff 

z : = 0 

trajectories 
stop when 
z = ub 
evolve 

d(z) = 1 


Figure 17: Automaton Specification. 


satisfies the restrictions. 

Let A be a TA, C a set of actions of A, and T the set of trajectories of A. We say 
that T is well-formed with respect to C if for each r £ T and for each t £ dom(r) both 
of the following conditions hold: 

1. (Stability) If C is enabled in r(f) then for all t' £ dom(r) with t < t', C is enabled 
inr(f'). 

2 . (Left-closedness) If C is not enabled in r(t) then there exists a t' £ dom{r ) with 
t < t' such that C is not enabled in r{t'). 

A TA with bounds, A = ( B , C,l,u ) consists of: 

• A timed automaton B = ( X , Q, 0, E, H, V, T). 

• A set C C E U H of actions called a task ; we assume that T is well-formed with 
respect to C. 

• A lower time bound l £ R-° and an upper time bound u £ R-° U {oo} with l < u. 

Lower and upper bounds are used to specify how much time is allowed to pass between 
the enabling and the performance of an action. If / is the lower bound for a task C, then 
an action in C must remain enabled at least for l time units before being performed. If u 
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is the upper bound for a task C, then an action in C can remain enabled at most u time 
units without being performed: it must either be performed or become disabled within u 
time units. 

We now define an operation Extend, which transforms a TA A with bounds to another 
TA A' that incorporates the new bounds, in addition to the timing constraints already 
present in A. Let A = (£>, C, l, u ) be a TA with bounds where B = (A, Q, 0, E, H, V, T). 
Then Extend(A) is the TA A' = (A', Q 7 , 0', E', H’, V, T) where 


• A' = AU {now, first, last} where: 


1. now, first, and last are new variables that do not appear in A. 

2 . now is an analog variable such that type (now) = R. 

3. first and last are discrete variables where type(first) = R and type(last) = 
R U {oo}. 

• Q' = {x £ val(X') | x |" A £ Q}. 

• 0 7 consists of all the states xgQ' that satisfy the following conditions: 


1. x[A £ 0. 


2 . x(now) = 0 . 


3. x(first) = 
x(last) = 


l if C is enabled in x |" A, 
0 otherwise. 

u if C is enabled in x [ A, 
oo otherwise. 


• E’ = E and H’ = H. We write A 1 = E' U H'. 


• If a € A 1 then (x, a, x 7 ) £ V exactly if all of the following conditions hold: 

1. (x [A) A _4 (x 7 [A). 

2 . x 7 (now) = x(no«;). 

3. (a) If a £ C, then x(first) < x(now). 

(b) If C is enabled both in x |" A and x 7 [ A and a ^ C, then x.(first) = x 7 (first) 
and x.(last) = x.'(last). 

(c) If C is enabled in x 7 [ A and either C is not enabled in x [ A or a £ C, 
then x 7 (first) = x.(now) + l and x.'(last) = x(now) + u. 

(d) If C is not enabled in x 7 |" A, then x 7 (first) = 0 and x'(last) = oo. 

• T is a set that consists of all r £ trajs(Q') that satisfy the following conditions: 

1. (r | A) £ T. 

2 . d(now) = 1 . 
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3. (a) If for all t G dom(r), C is enabled in r % X(t) then first and last are 
constant throughout r. 

(b) If for all t G dom(r), C is disabled in r j X(t) then first and last are 
constant throughout r. 

(c) If for all t' G [0, t), (7 is disabled in r(t') and for all t' G dom(r) — [0, t), C 
is enabled in r(t') then 

i. first and last are constant in [0 ,t). 

ii. r(t) (first) = T(t)(now) + l and r(t)(last) = r(t)(now) + u. 

iii. first and last are constant in dom(r ) — [0 ,t). 

(d) now < last. 

The transformation is based on the idea of augmenting the state of the original au¬ 
tomaton with a variable to represent current time (now) and the earliest time (first) and 
the latest time (last) a task can be performed. All these variables represent time in ab¬ 
solute terms. Item 3(a) in the definition of T>' expresses the new lower bound constraint 
and Item 3(d) in the definition of T' the new upper bound constraint. 

Let A be a TA with bounds ( B , C, l, u). In a start state x of Extend (7l), the variables 
first and last are initialized to l and u respectively, if C is enabled in x. If C is not enabled 
in x, then first is set to 0 and last is set to oo. Items 3(c) in the definition of V and 3(c) in 
the definition of T show how the variables first and last are updated. When C becomes 
newly enabled by a discrete transition or when a C action leads to a state in which C is 
enabled, first is set to now + 1 and last is set to now + u. The variables first and last are 
updated similarly when C becomes newly enabled in the course of a trajectory. 

Theorem 5.17 Suppose that A = (B,C,l,u) is a TA with bounds. Then Extend(Tl) is a 
TA with a set of trajectories that is well-formed with respect to C. 

Proof: The proof follows from the definitions of TA and the operation Extend. Step 
3(a) in the definition of T>' adds a new lower bound constraint, which makes enabling 
start at some particular time. Step 3(6) in the definition of T', adds a new upper bound 
constraint, which stops trajectories at a particular time and which does not add any 
enabling or disabling to trajectories. □ 

In the rest of this section, we sometimes speak of variables, states and traces of a TA 
with bounds. If A = ( B,C,l,u ) is a TA with bounds, variables, states and traces of A 
refer to, respectively, the states and the traces of the underlying automaton B. 

Theorem 5.18 Suppose A is a TA with bounds. Then tracesE xtend ^) — traces ^ 4 . 

Proof: Let F : Q' —> Q be defined as follows: P(x) = x |" X where X is the set of 
internal variables of A. It is easy to check that F is a refinement from Extend (^1) to A. 
By Theorem 4.27 and Corollary 4.23, we conclude that traces Extend (A) — traces a- Cl 
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Lemma 5.19 Suppose that A = ( B,C,l,u) is a TA with bounds. For any reachable state 
x of Extend(A), if C is enabled in x [" X in A, then x(last) < x(noro) + u. 

Proof: Consider a closed execution a of Extend(A). Using Axioms T1 and T2 for 

trajectories, we can write a as a concatenation of closed execution fragments .. a & 

where «o is a point trajectory, and each ct; for i > 1 is either a trajectory or a discrete action 
surrounded by two point trajectories such that for all 0 < i < k — 1 , ai.lstate = oti+i.fstate. 
We prove the invariant by induction on the length k of the sequence of execution fragments. 

For the base case, suppose that C is enabled in aQ.fstate \ X. Since a is an execu¬ 
tion, we know that «o -fstate is a start state of Extend (.4). By definition of Extend(.4), 
ao -fstate(last) = u. Since aQ.fstate(now) = 0, ao.fstate(last) < ao.fstate(now) + u, as 
required. 

For the inductive step, we assume that the property is true for the sequence ao ^ «i ^ 

... cth and show that it is true in the sequence otk+i in ao aq • • • a*, ctk+i- There are 
two cases to consider depending on whether oik+ 1 is a discrete action surrounded by two 
point trajectories or a trajectory. 

1. atk+ 1 is an action a surrounded by two point trajectories p(y) and p(yO- Suppose 
that C is enabled in y 1 \ X in A. There are two subcases to consider: 

(a) C is enabled in y [" X and a £ C. 

Then, y '(last) = y (last) and y '(now) = y (now). By inductive hypothesis, 
y (last) < y (now) + u. Therefore, y '(last) < y '(now) + u, as needed. 

(b) C is disabled in y [ X or a G C. 

Then, by definition of Extend(^l), y '(last) = y '{now) + u, which suffices. 

2 . ctk +1 is a trajectory. 

Suppose that C is enabled in ak+i-lstate \X in A. There are two subcases to con¬ 
sider: 

(a) C is enabled in ak+i-fstate |" X in A. 

By inductive hypothesis ak+i-fstate{last) < ak+i-fstate{now) + u. By the well- 
formedness assumption, we know that C must be enabled throughout ctfc+i and 
by definition of Extend (A) last is constant throughout ctk+i- Since the value of 
now increases, it is easy to see that ak+i-lstate (last) < ak+i-lstate(now) + u. 

(b) C is disabled in oik+i-fstate \X in A. 

Then, since it is enabled in ak+i-lstate \ X by the well-formedness assumption, 
it becomes enabled at some point t in the domain of ctfc+i and remains en¬ 
abled thereafter. Therefore, ak+\(t)(last) = a.k+i(t)(now) + u, by definition 
of Extend (.4). Since last remains constant after it is set and the value of now 
increases, otk+i-lstate(last) < oik+i.Istate(now) + u holds. 
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□ 


The theorem below shows that the executions of an automaton obtained by applying 
the transformation Extend to a TA with bounds respect the time bounds specified by the 
lower bound l and the upper bound u. 

Theorem 5.20 Let A = (. B,C,l,u ) be a TA with bounds. Then, 

1. There does not exist a closed execution fragment a of Extend (.4,) from a reachable 
state, where a.ltime > u, C is enabled in A in all the states of a \(A,X) and no 
action in C occurs in a. 

2. There does not exist a closed execution fragment a of Extend (.4.) from a reachable 
state, where a.ltime < l, such that C is not enabled in A in the first state of a \ (A, X ) 
and an action in C occurs in a. 

Proof: 

1. Suppose, for the sake of contradiction, that there exists a closed execution fragment 
a = to a\Ti 02 ■ ■ ■ r n of Extend(^4) from a reachable state, where a.ltime > u, C is 
enabled in A in all the states of a \(A, X ) and none of the a* in a is in C. By definition 
of trajectories for Extend(_4.) it must be the case that a.lstate(now ) < a.lstate(last). 

Since C is enabled in A in all states in a, by Lemma 5.19 we have a.fstate(last) < 
a.fstate(now) +u. By definition of Extend(*4), last remains constant throughout a\ 
therefore, a.lstate(last) = a.fstate(last). Since a. fstate (last) < a.fstate(now) + u, 
it follows that a.lstate(last) < a.fstate(now) + u. By definition of a, we have 
a.lstate(now) = a.fstate(now) + a.ltime. It follows that a.fstate(now) + a.ltime < 
a.fstate(now) + u. This implies a.ltime < u. But this gives us the needed contra¬ 
diction since a.ltime > u. 

2. We assume that a is a closed execution fragment of Extend (A) from a reachable state 
where a.ltime < l, such that C is not enabled in A in the first state of a and an 
action in C occurs in a. Let (x, a, x') be the first discrete transition of Extend (A) in 
a such that a € C. We show that the condition x(first ) < x(now), which has to hold 
for the discrete transition to occur, cannot be true, hence arrive at a contradiction. 

By Theorem 5.17, the set of trajectories of Extend(,4) is well-formed with respect 
to C. Therefore, C can become enabled by either a discrete transition or during a 
trajectory, and remains enabled until the occurrence of (x, a,x / ). 

(a) C becomes enabled by a discrete transition and remains enabled in A until the 
occurrence of (x, a,x'). 

Let (y, b, y') be the discrete transition of A that enables C. By item 3(c) in 
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the definition of V we know that first is set to y (now) + l when C becomes 
enabled. By item 3(6) in the definition of D' and 3(a) in the definition of T', we 
know that it remains constant so that x(first) = y (now) + l. Since (x, a, x') is 
a discrete transition of Extend (.A), it must be the case that x(first) < x(noic). 
Since x(now) < y (now) + a.ltime and x.(first) = y (now) + l it follows that 
y (now) + l < y (now) + a.ltime. But we know by assumption that a.ltime < l 
which gives the needed contradiction. 

(b) C becomes enabled at some point in the course of a trajectory r and remains 
enabled in A until the occurrence of (x, a, x'). 

Let y be a state in the range of t where C becomes enabled. By item 3(c) in 
the definition of T' we know that first is set to y (now) + l when C becomes 
enabled and it remains constant in r so that x(fir.st) = y (now) + l. By item 
3(6) in the definition of V and 3(a) in the definition of T 7 , we know that 
first remains constant until the occurrence of (x, a, x!). Since (x, a,x.') is a 
discrete transition of Extend (.A), it must be the case that x(first) < x(now). 
Since x(now) < y (now) + a.ltime and x(first) = y (now) + l it follows that 
y (now) + l < y (now) + a.ltime. But we know by assumption that a.ltime 
which gives the needed contradiction. ~~ 

Example 5.21 (Fischer’s algorithm specified using tasks and bounds). In Example 4.5 we 
presented the specification of Fischer’s mutual exclusion algorithm as a TA. This example 
illustrates an alternative way of specifying the same algorithm by using a TA with bounds. 

Recall that, formally, we define a TA with bounds as a TA augmented with a single task 
along with lower and upper bounds for that task. The automaton in Fig. 18 is, however, 
augmented with a set of tasks and bounds (we omit from the figure those transition 
definitions that are the same as in Example 4.5). This is for notational convenience and 
the automaton in Fig. 18 should be viewed as the automaton representing the cumulative 
result of adding in successive steps two tasks for each index. We assume that Extend 
is applied once for each task. That is, we start with the timing-independent version of 
FischerME, apply Extend to the automaton augmented with the task {set(i)} to add the 
lower bound 0 and the upper bound u_set, then apply Extend to the resulting automaton 
augmented with {check(i)} to add the lower bound l_check and the upper bound oo. 
Such two successive applications are allowed since the result of the first application of 
Extend satisfies the the well-formedness conditions for the set of trajectories. 

The result of these successive applications yields an automaton similar to the one in 
Example 4.5. The only difference is that the mechanical application of the transformation 
would reset the value of firstcheck[i] to 0 as an effect of check(i) while we do not reset 
firstcheck[i] explicitly in Example 4.5, when it becomes disabled. This is because we 
make use of the facts that the value of firstcheckfi] is used only in determining whether 
check(i) is enabled and that check(i) becomes enabled only in the poststate of set(i) 
which also sets the value of firstcheckfi] . Note that this discrepancy does not give rise 
to any difference in the behaviors of the two automata. □ 
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type Index = enumeration of pi , p2 , p3, p4 

type PcValue = enumeration of rem, test, set, check, 

leavetry, crit , reset , leaveexit 

automaton FischerME(u_set, l_check: Real) 
signature 

external try(i:Index), crit(i:Index), exit(i:Index), rem(i:Index) 
internal test(i:Index), set(i:Index), 

check(i:Index), reset(i:Index) 

states 

x: Null[Index] := nil, 

pc: Array[Index,PcValue] := constant(rem) 

initially u_set > 0 A l_check >0 A u_set < l_check 
transitions 

internal test(i) 
pre 

pc[i] = test 
eff 

if x = nil then 
pc [ i ] : = set 

internal set(i) 
pre 

pc [i] = set 
eff 

x := embed(i); 
pc[i] := check 

internal check(i) 
pre 

pc [i] = check 
e f f 

if x = embed(i) then pc[i] := leavetry 
else pc[i] := test 

tasks 

set = fset(i)} for i: Index; check = fcheck(i)} for i: Index 
bounds 

set = [0,u_set]; check = [l_check, infty] 


Figure 18: Fischer’s mutual exclusion algorithm with bounds. 
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6 Timed I/O Automata 


In this chapter we refine the timed automaton model of Chapter 4 by distinguishing 
between input and output actions. Typically, an interaction between a system and its 
environment is modeled by using output and input actions to represent, respectively, the 
external events under the control of the system and the environment. We extend the 
results on simulation relations and composition from Chapters 4 and 5 to this new setting. 
We also introduce special kinds of timed I/O automata: I/O feasible, progressive, and 
receptive TIOAs. 

6.1 Definition of Timed I/O Automata 

A timed I/O automaton (TIOA) A is a tuple ( 13,1,0 ) where 

• B = ( X , Q , 0, E, H , V, T) is a timed automaton. 

• I and O partition E into input and output actions , respectively. Actions in L = 
H L) O are called locally controlled ; as before we write A — E U H . 

• The following additional axioms are satisfied: 

El (Input action enabling) 

For every x 6 Q and every a 6 /, there exists x' € Q such that x A xh 
E2 (Time-passage enabling) 

For every x£Q, there exists r £ T such that r.fstate = x and either 

1 . r.ltime = oo, or 

2. r is closed and some l G L is enabled in r.lstate. 

Input action enabling is the input enabling condition of ordinary I/O automata [45]; it 
says that a TIOA is able to perform an input action at any time. The time-passage 
enabling condition says that a TIOA either allows time to advance forever, or it allows 
time to advance for a while, up to a point where it is prepared to react with some locally 
controlled action. The condition ensures what is called time reactivity in [46] and timelock 
freedom in [47], that is, whenever time progress stops there exists at least one enabled 
transition. Because TIOAs have no external variables, El and E2 are slightly simpler 
than the corresponding axioms for HIOAs. 


Notation: As we did for TAs, we often denote the components of a TIOA A by 4 , 
Ia, O 4 , X A , Q a , 0^, etc., and those of a TIOA A,: by Hi, A, Oi, X t , Qi, 0, : , etc. We 
sometimes omit these subscripts, where no confusion is likely. We abuse notation slightly 
by referring to a TIOA A as a TA when we intend to refer to 4 . 
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Example 6.1 (TAs viewed as TIOAs). The automaton TimedChannel described in Ex¬ 
ample 4.1 can be turned into a TIOA by classifying the send actions as inputs, and the 
receive actions as outputs. Since there is no precondition for send actions, they are en¬ 
abled in each state, so clearly the input enabling condition El holds. It is also easy to 
see that Axiom E2 holds: in each state either queue is nonempty, in which case a receive 
output action is enabled after a point trajectory, or queue is empty, in which case time 
can advance forever. 

The automaton ClockSync of Example 4.6 can be turned into a TIOA by classifying the 
send actions as outputs, and the receive actions as inputs. Axiom El then holds trivially. 
Axiom E2 holds since from each state either time can advance forever, or we have an 
outgoing trajectory (possibly of length 0) to a state in which physclock = nextsend, and 
from there a send output action is enabled. □ 


6.2 Executions and Traces 

An execution fragment , execution , trace fragment, or trace of a TIOA A is defined to 
be an execution fragment, execution, trace fragment, or trace of the underlying TA B_ 4 , 
respectively. 

We say that an execution fragment of a TIOA is locally-Zeno if it is Zeno and contains 
infinitely many locally controlled actions, or equivalently, if it has finite limit time and 
contains infinitely many locally controlled actions. 

6.3 Special Kinds of Timed I/O Automata 
6.3.1 Feasible and I/O Feasible TIOAs 

A TIOA A = ( B , I, O) is defined to be feasible provided that its underlying TA B is feasible 
according to the definition given in Section 4.3. As noted in Section 4.3, feasibility is a 
basic requirement that any TA (or TIOA) should satisfy. I/O feasibility is a strengthened 
version of feasibility that take inputs into account. It says that the automaton is capable of 
providing some response from any state, for any sequence of input actions and any amount 
of intervening time-passage. In particular, it should allow time to pass to infinity if the 
environment does not submit any input actions. Formally, we define a TIOA to be I/O 
feasible provided that, for each state x and each (I, 0 )-sequence (3, there is some execution 
fragment a from x such that a ["(/, 0) = f3. That is, an I/O feasible TIOA accommodates 
arbitrary input actions occurring at arbitrary times. The given (/, 0)-sequence /3 describes 
the inputs and the amounts of intervening times. 
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6.3.2 Progressive TIOAs 


A progressive TIOA never generates infinitely many locally controlled actions in finite 
time. Formally, a TIOA A is progressive if it has no locally-Zeno execution fragments. 

The following lemma says that any progressive TIOA is capable of advancing time 
forever. 

Lemma 6.2 Every progressive TIOA is feasible. 

Proof: Let A be a progressive TIOA and let x be a state of A. Since A is a TIOA it 
satisfies Axiom E2. We construct an admissible execution fragment a = ao aq 02 • • • 
from x as follows. 

1 . a 0 = p(x). 

2. For each i > 0, 

(a) If there exists a trajectory r from cti-i.Istate such that r.ltime = 00 then a t is 
the final execution fragment in the sequence and oq = r. 

(b) Otherwise, let T{ be a closed execution fragment from oq-i .Istate such that l G L 
is enabled in Ti.lstate. Define a* = r^Tj+i where r ,: + 1 = p(y) and Tj. Istate y. 

The above construction either ends after finitely many stages such that the last trajectory 
of a is admissible, or goes through infinitely many stages such that a contains infinitely 
many local actions. In the former case, we know that a is admissible since it ends with 
an admissible tracjectory. In the latter case, since A is progressive, the fact that a has 
infinitely many local actions implies that a is admissible, as needed. □ 

The following lemma says that a progressive TIOA is capable of allowing any amount 
of time to pass from any state. 

Lemma 6.3 Let A be a progressive TIOA, let x be a state of A, and let r € trajsifb). 
Then there exists an execution fragment a of A such that a.fstate = x and a [(/, 0 ) = r. 

Proof: The result follows from the construction used in the proof of Lemma 6.2. Let 
a be an admissible execution fragment from x constructed as in the proof of Lemma 6.2. 
Let a' be a prefix of a such that of [( 0 , 0 ) = r. Since our construction uses no actions 
from I, we have a' [(/, 0 ) = of [( 0 , 0 ) = r, as needed. □ 

The following theorem says that a progressive TIOA is capable not just of allowing 
arbitrary amounts of time to pass, but of allowing arbitrary input actions at arbitrary 
times. 
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Theorem 6.4 Every progressive TIOA is I/O feasible. 


Proof: Let A be a progressive TIOA, let x be a state of A , and let (3 = tq a\ t\ 02 12 ... 
be an (/, 0)-sequence. We construct a finite or infinite sequence «o &i ■ ■ ■ of execution 
fragments such that: 

1 . ao-fstate = x. 

2. For each nonfinal index i, ai-lstate = aj + i, /state. 

3. For each i, (ao ''' a 1 a/ \(I, 0) = To a\ t\ ... Ti. 

The construction is carried out recursively. To define ao, we start with x and use 
Lemma 6.3 to span tq. For i > 0, we define a^ by starting with a^i.Istate, using Axiom 
El to perform the input action a* and move to a new state and then using Lemma 6.3 to 
span Tj. 

Let a = cko £*1 By Lemma 3.8, a is an execution fragment of A from x such 

that a \(I, 0) = f3, as needed. □ 

6.3.3 Receptive Timed I/O Automata 

In this section, we define the notion of receptiveness for TIOAs. A TIOA will be defined 
to be receptive provided that it admits a strategy for resolving its nondeterministic choices 
that never generates infinitely many locally controlled actions in finite time. This notion 
has an important consequence: A receptive TIOA provides some response from any state, 
for any sequence of discrete input actions at any times. This implies that the automa¬ 
ton has a nontrivial set of execution fragments, in fact, it has execution fragments that 
accommodate any inputs from the environment. The automaton cannot simply stop at 
some point and refuse to allow time to elapse; it must allow time to pass to infinity if the 
environment does so. Previous studies of receptiveness properties include [48, 49, 8, 41]. 
The notion of receptiveness for TIOAs as discussed here is a special case of the same notion 
for HIOAs [6]. 

We build our definition of receptiveness on our earlier definition of progressive TIOAs. 
Namely, we define a strategy for resolving nondeterministic choices, and define receptive¬ 
ness in terms of the existence of a progressive strategy. 

We define a strategy for a TIOA A to be a TIOA A' that differs from A only in that 
V C D and T' C T. That is, we require: 


• V CV, 

• T'CT, 
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x = X',Q = Q',Q = O', H = H',I = I', and O = O'. 


Our strategies are nondeterministic and memoryless. They provide a way of choosing some 
of the evolutions that are possible from each state x of A. The fact that the state set Q' 
of A' is the same as the state set Q of A implies that A! chooses evolutions from every 
state of A. 

Notions of strategy have been used also in previous studies of receptiveness [48, 49, 
8, 41]. However, in these earlier works, strategies have been formalized using two-player 
games rather than automata. Defining strategies using automata allows us to avoid intro¬ 
ducing extra mathematical machinery. 

Lemma 6.5 If A! is a strategy for A, then every execution fragment of A ’ is also an 
execution fragment of A. 

We define a TIOA to be receptive if it has a progressive strategy. The following theorem 
says that any receptive TIOA can respond to any inputs from the environment. 

Theorem 6.6 Every receptive TIOA is I/O feasible. 

Proof: Immediate from the definitions, Theorem 6.4 and Lemma 6.5. □ 

Example 6.7 (Progressive and receptive TIOAs). The time-bounded channel automaton 
described in Example 4.1 is not progressive since it allows for an infinite execution in 
which send and receive actions alternate without any passage of time in between. The 
time-bounded channel automaton is receptive, however, as we may construct a progressive 
strategy for it by adding a condition head(queue) .deadline = now to the precondition of 
the receive action. In this way we enforce that the channel operates maximally slow 
and messages are only delivered at their delivery deadline. The clock synchronization 
automaton of Example 4.6 is progressive (and therefore receptive) since it can only generate 
a locally controlled action each time its physical clock advances by u time units and the 
real time that elapses between two locally produced actions is at least u x (1-r) time 
units. □ 


6.4 Implementation Relationships 

Two TIOAs A\ and A 2 are comparable if their inputs and outputs coincide, that is, if 
I\ = I 2 and Oi = O 2 ■ If .4.1 and ^2 are comparable, then .4i < A 2 is defined to mean 
that the traces of .4i are included among those of A 2 - A\ < A 2 = traces ^ C traces ^ 2 . 

Lemma 6.8 Let A\ , A 2 be two comparable TIOAs and let B\, £>2 be, respectively, the 
underlying TAs for A\ and A 2 - Then B\ and £>2 are comparable and A\ < A 2 iff £>1 < £> 2 . 

Proof: Immediate from the definitions. □ 
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6.5 Simulation Relations 


The definition of forward simulation for TIOAs is the same as for TAs. Formally, if 
A] = (£>i,ii,Oi) and A 2 = (B 2 , 12 , O 2 ) are two comparable TIOAs, then a forward 
simulation from A\ to A 2 is a forward simulation from B\ to 82 - 

Theorem 6.9 If A\ and A 2 are comparable TIOAs and there is a forward simulation 
from A\ to A 2 , then Ai < A 2 ■ 

The definitions and results about backward simulations, history and prophecy relations 
for timed automata from Chapter 4 carry over to timed automata with input and output 
distinction in a similar fashion. 
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7 Operations on Timed I/O Automata 

7.1 Composition 

In this chapter we define the operations of composition and hiding and present projection, 
pasting and substitutivity results for TIOAs. We revisit the special kinds of TIOAs in¬ 
troduced in Chapter 6 and show that the classes of progressive and receptive timed I/O 
automata are closed under composition, while this is not true for the class of I/O feasible 
automata. 

7.1.1 Definitions and Basic Results 

The definition of composition for TIOAs is based on the corresponding definition for TAs, 
but also takes the input/output structure into account. We require that precisely one 
component should “control” any given internal or output action. We say that TIOAs A± 
and A-2 are compatible if, for i A j, X l n Xj = Hi n Aj = Oi D Oj = 0. 

Lemma 7.1 If A\ = (B\, I\, Oi) and A-2 = {£>2, h, O2) are compatible TIOAs, then B\ 
and £>2 are compatible TAs. 

If A] and A2 are compatible TIOAs then their composition Ai 11A 2 is defined to be the 
tuple A = (B, I , O) where 


• B = B\ 11 £> 2 , 

• I = (1 1 U I 2 ) - (O] U 0- 2 ), and 

• o = 0\ u O 2 . 

Thus, an external action of the composition is classified as an output if it is an output of 
one of the component automata, and otherwise it is classified as an input. The composition 
of two TIOAs is guaranteed to be a TIOA: 

Theorem 7.2 If A\ and A 2 are TIOAs then Ai H-A2 is a TIOA. 

Proof: The proof is straightforward except for showing that Axiom E2 is satisfied by the 
composition. Let x be a state of Ai 1 1 A2 • We need to show the existence of a trajectory 
from x that satisfies E2. 

By definition of Ai||A 2 , x [" X\ is a state of *4i and x [" X 2 is a state of A 2 - We know 
that both A\ and A2 satisfy E2. Let n be a trajectory of „4i with r\.fstate = x |" X\ that 
satisfies E2, let 72 be a trajectory of A2 with T2-fstate = x |" X2 that satisfies E2, and 
consider the following cases: 
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1. ri.ltime = oo and T 2 -Itime = oo. 

Then, define r such that t [ X\ = t\ and t [ X 2 = T 2 - 

2. r 1 . Itime = 00 and 72 is closed where some l € L 2 is enabled in T 2 -lstate. 

Then, define r such that t [ X\ = T\ \ dom(j 2 ) and t { X 2 = t-j- 

3. 7~i is closed where some l G L\ is enabled in T\.lstate and T 2 -Itime = 00 . 

Then, define r such that t [ X\ = T\ and t [ X 2 = T 2 \ dom(T\). 

4. n is closed where some i S I] is enabled in n.lstate and 72 is closed where some 
l € L 2 is enabled in T 2 -lstate. 

If dom(T\ ) C dom(j 2 ), then define r such that r j X\ = t\ and r { X 2 = 
r 2 I" dom(T\). Otherwise, define r such that r [ X\ = T\ [ dom(r 2 ) and r j X 2 = 72 . 

In all the cases, by definition of trajectories for a TIOA, r is a trajectory of -A 1 11 ^2 from 
x, which satisfies E2 by construction. □ 

Note that this theorem is stronger than the corresponding theorem [6, Theorem 6.12] 
for general HIOAs. Two HIOAs A\ and *4.2 are required to be “strongly compatible” for 
their composition to be a hybrid I/O automaton. This extra condition is needed to rule 
out dependencies among external variables that may prevent the component automata 
from evolving together. The absence of external variables in TIOA eliminates this kind 
of problematic behavior. Thus, for the timed case, we do not require the notion of strong 
compatibility that was needed for the hybrid case. 

Composition of TIOAs satisfies the following projection and pasting result, which 
follows from Theorem 5.4. 

Theorem 7.3 Let Ai and A 2 be comparable TIOAs, and let A = *4i||*42- Then traces 
is exactly the set of ( E , 0)- sequences whose restrictions to A\ and A 2 are traces of A\ and 
A 2 , respectively. 

That is, traces a = {/3 \ /3 is an (E, 0)- sequence and (5 | (Ei, 0) € traces i = {1, 2}}. 

7.1.2 Substitutivity Results 

The following theorem is analogous to Theorem 5.8 for TAs without input/output distinc¬ 
tion. It shows that the introduction of this distinction does not cause any changes to the 
substitutivity results we obtained for general TAs. 

Theorem 7.4 Suppose A\ and A 2 are comparable TIOAs with A\ < *42- Suppose that B 
is a TIOA that is compatible with each of A\ and A 2 - Then *4i||£> < 4 I 2 IIR 

The corollaries are analogous to Corollaries 5.9 and 5.10 of Theorem 5.8. 
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Corollary 7.5 Suppose A\, A 2 , £> 1 , and £>2 are TIOAs, A\ and A 2 are comparable, B\ 
and B 2 are comparable, and each of Ai and A 2 is compatible with each of B\ and £> 2 . If 
A\ < A 2 and B\ < B 2 then _4.i 1 1 < A 2 ||£? 2 - 


Corollary 7.6 Suppose A\, A 2 , B\, and B 2 are TIOAs, A\ and A 2 are comparable, B\ 
and B 2 are comparable, and each of A\ and A 2 is compatible with each of B\ and B 2 - If 
A\ 11 B 2 < A 2 WB 2 and B\ < B 2 then Al||£>i < ^H^- 


The basic substitutivity theorem, Theorem 7.4, is desirable for any formalism for in¬ 
teracting processes. For design purposes, it enables one to refine individual components 
without violating the correctness of the system as a whole. For verification purposes, it 
enables one to prove that a composite system satisfies its specification by proving that 
each component satisfies its specification, thereby breaking down the verification task into 
more manageable pieces. However, it might not always be possible or easy to show that 
each component A\ (resp. B\) satisfies its specification A 2 (resp. B 2 ) without using any 
assumptions about the environment of the component. Assume-guarantee style results 
such as those presented in [49, 50, 51, 52, 53, 54, 55, 56] are special kinds of substitutivity 
results that state what guarantees are expected from each component in an environment 
constrained by certain assumptions. Since the environment of each component consists of 
the other components in the system, assume-guarantee style results need to break the cir¬ 
cular dependencies between the assumptions and guarantees for components. We present 
below two assume-guarantee style theorems Theorem 7.7 and Corollary 7.8, taken from 
[57], which can be used for proving that a system specified as a composite automaton 
*4i||£>i implements a specification represented by a composite automaton ^4.2II^ 2 - 

The main idea behind Theorem 7.7 is to assume that A 1 implements A 2 in a context 
represented by B 2 , and symmetrically that B\ implements £>2 in a context represented 
by A 2 where A 2 and £>2 are automata whose trace sets are closed under limits. The 
requirement about limit-closure implies that A 2 and B 2 specify trace safety properties. 
Moreover, we assume that the trace sets of A 2 and B 2 are closed under time-extension. 
That is, the automata allow arbitrary time-passage. This is the most general assumption 
one could make to ensure that 42 IIR 2 does not impose stronger constraints on time-passage 
than A\\\B\. Recall that the definition of time extension of a hybrid sequence can be found 
in Section 3.4.1. 

Theorem 7.7 Suppose A\, A 2 , £> 1 , £>2 are TIOAs such that A\ and A 2 are comparable, 
B\ and B 2 are comparable, and each of A\ and A 2 is compatible with each of B\ and £> 2 . 
Suppose further that: 

1. The sets traces a 2 and traces g 2 are closed under limits. 

2. The sets traces yi 2 and traces g 2 are closed under time-extension. 

3. Ai\\B 2 < A 2 \\B 2 and A 2 \\Bi < A 2 \\B 2 . 
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Then Ai\\Bx < A 2 \\B 2 . 


Proof: We first prove by induction on the length of traces of ,4.i||I3i that every closed 
trace of _Ai||I3i is a trace of A 2 \\B 2 . 

For the base case, let [3 be a trace of Ai||Z3i such that (3 £ trajs{% ) (a single trajectory 
over the empty set of variables). By Axiom TO in the definition of a TA, we know that 
A 2 and B 2 have traces a\ and a 2 such that ai.ltime = a 2 .ltime = 0. By Assumption 2 we 
have ai'~'/3 G traces A2 and (3 G tracesg 2 . Since, a\ ^(3 = (3 and a 2 ^[3 = (3, it follows 
that f3 G traces a 2 and (3 G traces g 2 . By pasting using Theorem 7.3, (3 G traces A 2 \\b 2 , as 
needed. 

For the inductive step we consider the following cases: 

1 . (3 = (3' ar, where a is an output action of A\ and r is a point trajectory. 

Then [3 \(E Al . 0) £ traces Al by projection using Theorem 7.3. By inductive hypoth¬ 
esis, f3’ G traces\\ b 2 - So (3' \{E B21 $) £ traces b 2 , by projection using Theorem 7.3. 
Let a be an execution of B 2 such that trace(a ) = (3' [~(Eg 2 ,0). Since A\ and B\ 
are compatible TIOAs, B\ and B 2 are comparable, and a is an output action of 
Ai, we know that either a is an input action of B 2 or the action set of B 2 does 
not contain a. In the former case, by the input-enabling axiom (El) we know that 
there exists x' such that (a.lstate, a, x 7 ) is a discrete transition of B 2 . It follows 
that [3 [~(Eg 2 ,0) £ tracesjs 2 . In the latter case, since (3 [~(Eg 2 ,0) = (3' \(E B21 %) and 
/ 3' \{Ejs 2 , 0) G traces g 2 we get f3 \{E B2 , 0) G traces g 2 . By pasting using Theorem 7.3, 
/3 G traces Then by Assumption 3, f3 G traces ||g 2 . 

2 . (3 = (3' br, where b is an output action of B\ and r is a point trajectory. 

This case is symmetric with the previous one. 

3. (3 = (3' ct, where c is an input action of both A\ and B\ and r is a point trajectory. 

By inductive hypothesis, (3' G traces^ 2 ||g 2 . By projection using Theorem 7.3 we 
get P' |"(E_ 4 2 , 0 ) G traces a 2 and (3' |"(E'g 2 ,0) G tracesjg 2 . Let a be an execution of A 2 
such that trace (cc) = (3' \(E^ 2 , 0). Since A\ and A 2 are comparable and a is an input 
action of A\ we know that a is an input action of A 2 . By the input-enabling axiom 
(El) we know that there exists x' such that (a 1 .Istate, a,x. r ) is a discrete transition 
of A 2 . It follows that (3 |"(E_ 4 2 , 0 ) G traces _ a 2 . Similarly, let a' be an execution of B 2 
such that trace{a') = (3' \{Ejg 2 , 0). Since B\ and B 2 are comparable and a is an input 
action of B\ we know that a is an input action of B 2 . By the input-enabling axiom 
(El) we know that there exists y' such that (a'.lstate, a, y 1 ) is a discrete transition 
of B- 2 . It follows that [3 |"(Eg 2 ,0) G traces b 2 . By pasting using Theorem 7.3, we get 
(3 G traces A2 \\ B2 . 

4. (3 = f3 r dr, where d is an input action of A\ but not an action of B\ and r is a point 
trajectory. 


87 



By inductive hypothesis, (3' G traces a 2 \\B 2 - By projection using Theorem 7.3, we 
have f3 '\{Ea 2 ,0) G traces a 2 and f3' \{Eq 2 ,0) € traces g 2 . Let a be an execution 
of A 2 such that trace(a) = /3' \(Ea 2 ,$). Since A\ and A 2 are comparable TIOAs 
and a is an input action of A\, a must be an input action of A 2 . By the input¬ 
enabling axiom (El) we know that there exists x' such that ( a.lstate,a,x. r ) is a 
discrete transition of Ai- It follows that f3 |~(-EU 2 ,0) 6 traces ^ 2 . Since £>1 and 
£>2 are comparable and a is not an action of £> 1 , a cannot be an external action 
of B- 2 - Therefore, /3|"(£’g 2 ,0) = (3' {(Eg 2 , 0). Since f3' \(Eb 2 , 0) € traces @ 2 we get 
(3 |[(£(g 2 ,0) G tracesjs 2 . By pasting using Theorem 7.3, we get [3 € traces a 2 ||g 2 . 

5. (3 = /Ter, where e is an input action of £?i but not an action of Ai and r is a point 
trajectory. 

This case is symmetric with the previous one. 

6 . (3 = (3' (3 ", where [3" is a hybrid sequence consisting of a single trajectory r. 

By inductive hypothesis, (3' G fraces^ 2 ||g 2 . By projection using Theorem 7.3, we 
get f3' |"(E_ 4 2 , 0 ) G traces a 2 and (3' |"(£ , g 2 ,0) G tracesg 2 . By Assumption 2, we have 
(3' r(-EU 2 ’ 0) " P" \( e A 2 ,0) e traces a 2 and (3' \(Eb 2 , 0) "" (3" \{Eb 2 , 0) G traces b 2 . 
Then by pasting using Theorem 7.3, (3 G traces a 2 \\b 2 i as needed. 

We have thus shown that every closed trace of Ai||£>i is a trace of A 2 1 | 02 - Now con¬ 
sider any non-closed trace f3 of A] \\B\. This (3 can be written as the limit of a sequence 
(3\ /?2 • • • of closed traces of A] \\B\. By the first part of the proof we know that each 
(3i G traces a 2 \\b 2 , and by projection using Theorem 7.3 each (3j, |~(£U 2 ,0) is a closed trace 
of A 2 , and /3i \(Eb 2 ,0) is a closed trace of B 2 . Since restriction is a continuous opera¬ 
tion (Lemma 3.8), we know that (3 |"(E_4 2 ,0) is the limit of the (3i \(E_ q 2 ,0) and similarly 
/3 [(£(g 2 ,0) is the limit of the [[(£(g 2 ,0). Since the sets traces a 2 and tracess 2 are limit- 
closed by Assumption 1, we get f3 |"(-EU 2 ,0) G traces a 2 and (3 | (Eg 2 , 0) G tracess 2 . Finally, 
by pasting using Theorem 7.3, we get f3 G traces a 2 m 2 - □ 

Note that automata with FIN and timing-independence (see Section 4.3 for definitions) 
constitute examples for context automata A 2 and £>2 that satisfy Assumptions 1 and 2 . 
The property FIN implies Assumption 1 (Lemma 4.18) and timing-independence implies 
Assumption 2 . 

Theorem 7.7 has a corollary, Corollary 7.8 below, which can be used in the decom¬ 
position of proofs even when A 2 and £>2 neither admit arbitrary time-passage nor have 
limit-closed trace sets. The main idea behind this corollary is to assume that A\ imple¬ 
ments * 4.2 in a context £>3 that is a variant of £> 2 , and symmetrically that B\ implements 
£?2 in a context A 3 that is a variant of A 2 . That is, the correctness of implementation 
relationship between A\ and A 2 does not depend on all the environment constraints, just 
on those expressed by B 3 (symmetrically for B 1 , £> 2 , and A 3 ). In order to use this corollary 
to prove Ai||£>i < A 2 WB 2 one needs to be able to find appropriate variants of A 2 and B 2 



that meet the required closure properties. This corollary prompts one to pin down what is 
essential about the behavior of the environment in proving the intended implementation 
relationship, and also allows one to avoid the unnecessary details of the environment in 
proofs. 

Corollary 7.8 Suppose A\, A 2 , A 3 , B\, B 2 , B 3 are TIOAs such that A\, A 2 , and A 3 are 
comparable, B\, B 2 , and B 3 are comparable, and At is compatible with Bj fori,j £ {1, 2, 3}. 
Suppose further that: 

1. The sets traces a 3 and tracesare closed under limits. 

2. The sets traces a 3 and tracesg 3 are closed under time-extension. 

3. A 2 WB 3 < A 3 WB 3 and A 3 \\B 2 < A 3 WB 3 . 

4■ A 4 B 3 < A 2 WB 3 and A 3 \\Bi < A 3 \\B 2 . 

Then Ai\\B! < A 2 \\B 2 . 

Proof: Since «Ai11 ^3 < - 4 . 2 11 £?3 by Assumption 4, and A 2 IIS 3 < - 43 11S 3 by Assumption 3, 
we get A\ \\B :i < A 3 WB 3 . Similarly, we have A3 \\B\ < A 3 1 \B 2 < A 3 11i? 3 . Since Ai 11 £>3 < 
A 3 11Z ?3 and A 3 1|i5i < A 3 11^ 3 , by using Assumptions 1 and 2 , and Theorem 7.7 we have 

AillBr < A 3 ll^- 

Let /3 be a trace of Ai||i?i• By projection using Theorem 7.3, f3 £ traces 

and £ tracess 1 . Since Ai||i?i < A 3 IIB 3 , we know that (3 £ traces^ i 3 ||b 3 - By 

projection using Theorem 7.3, f3 \(Ea 3 ,0) £ traces a 3 and f3 \\(Eb 3 ,$) £ traces b 3 . By 
pasting using Theorem 7.3, we have (3 £ traces ^^63 and (3 £ traces. By Assumption 
4, we get (3 £ traces a 2 \\b z and (3 £ traces ||g 2 . Then, by projection using Theorem 7.3, 
f3 \{Ea 2 ,$) £ traces and [3 |~(.Eg 2 ,0) £ tracesB 2 - Finally, by pasting using Theorem 7.3 
we have (3 £ traces ||g 2 , as needed. □ 


Example 7.9 (Using environment assumptions to prove safety). This example 

illustrates that, in cases where specifications A 2 and £>2 satisfy certain closure properties, 
it is possible to decompose the proof of Ai||£>i < A 2 11 ^2 by using Theorem 7.7, even if it 
is not the case that Ai < A 2 or B\ < B 2 - 

The automata AlternateA and AlternateB in Figure 19 are timing-independent au¬ 
tomata in which no consecutive outputs occur without inputs happening in between. 
AlternateA and AlternateB perform a handshake, outputting an alternating sequence of a 
and b actions when they are composed. The automata CatchUpA and CatchUpB in Figure 14 
are timing-dependent automata that do not necessarily alternate inputs and outputs as 
AlternateA and AlternateB. CatchUpA can perform an arbitrary number of b actions, and 
can perform an a provided that counta < countb. It allows counta to increase to one more 
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automaton AlternateA 
signature 

output a, input b 
states 

myturn: Bool := true 
transitions 
output a 
pre 

myturn 

eff 

myturn := false 


input b 
eff 

myturn := true 


automaton AlternateB 
signature 

input a, output b 
states 

myturn: Bool := false 
transitions 

input a output b 

eff pre 

myturn := true myturn 

eff 

myturn := false 


Figure 19: AlternateA and AlternateB. 

than countb. CatchUpB can perform an arbitrary number of a actions, and can perform 
a b provided that counta > countb + 1. It allows countb to reach counta. Timing con¬ 
straints require each output to occur exactly one time unit after the last action. CatchUpA 
and CatchUpB perform an alternating sequence of a actions and b actions when they are 
composed. 

Suppose that we want to prove that CatchUpA || CatchUpB < AlternateA || AlternateB. 
We cannot apply the basic substituvity theorem Theorem 7.7, in particular Corollary 7.5, 
since the assertions CatchUpA < AlternateA and CatchUpB < AlternateB are not true. 
Consider the trace lblalal of CatchUpA. After having performed one b and one a, 
CatchUpA can perform another a. But, this is impossible for AlternateA which needs an 
input to enable the second a. AlternateA and CatchUpA behave similarly only when put in 
a context that imposes alternation. 

It is easy to check that AlternateA and AlternateB satisfy the closure properties re¬ 
quired by Assumptions 1 and 2 of Theorem 7.7 and, hence can be substituted for A 2 
and £>2 respectively. Similarly, we can easily check that Assumption 3 is satisfied if we 
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substitute CatchUpA for A± and CatchUpB for B\. 


□ 


Example 7.10 (Extracting essential environment assumptions with auxiliary automata). 
This example illustrates that it may be possible to decompose verification, using Corol¬ 
lary 7.8, in cases where Theorem 7.7 is not applicable. If the aim is to show „4i||£>i < 
A 2 ||-E >2 where A 2 and B 2 do not satisfy the assumptions of Theorem 7.7, then we find 
appropriate context automata ^,3 and 63 that abstract from those details of A 2 and £>2 
that are not essential in proving .4i||£>i < A 2 1 |£> 2 - 

Consider the automata UseOldlnputA and UseOldlnputB in Figure 20. UseOldlnputA 
keeps track of the next time it is supposed to perform an output, which may be never 
(infty). The number of outputs that UseOldlnputA can perform is bounded by a natural 
number. In the case of repeated b inputs, it is the oldest input that determines when the 
next output will occur. The automaton UseOldlnputB is the same as UseOldlnputA (inputs 
and outputs reversed) except that the next variable of UseOldlnputB is set to infty initially. 
Note that UseOldlnputA and UseOldlnputA are not timing-independent and their trace sets 
are not limit-closed. For each automaton, there are infinitely many start states, one for 
each natural number. We can build an infinite chain of traces, where each element in 
the chain corresponds to an execution starting from a distinct start state. The limit of 
such a chain, which contains infinitely many outputs, cannot be a trace of UseOldlnputA 
or UseOldlnputB since the number of outputs they can perform is bounded by a natural 
number. The automaton UseNewInputA in Figure 21 behaves similarly to UseOldlnputA 
except for the handling of inputs. In the case of repeated b inputs, it is the most recent 
input that determines when the next output will occur. The automaton UseNewInputB in 
Figure 21 is the same as UseNewInputA (inputs and outputs reversed) except that the next 
variable of UseNewInputB is set to infty initially. Suppose that we want to prove that: 

UseNewInputA||UseNewInputB < Use01dInputA||Use01dInputB. 

Theorem 7.7 is not applicable here because the high-level automata UseOldlnputA and 
UseOldlnputB do not satisfy the required closure properties. However, we can use Corol¬ 
lary 7.8 to decompose verification. It requires us to find auxiliary automata that are less 
restrictive than UseOldlnputA and UseOldlnputB but that are restrictive enough to express 
the constraints that should be satisfied by the environment, for UseNewInputA to implement 
UseOldlnputA and for UseNewInputB to implement UseOldlnputB. 

The automata AlternateA and AlternateB in Figure 19 can be used as auxiliary au¬ 
tomata in this example. They satisfy the closure properties required by Corollary 7.8 
and impose alternation, which is the only additional condition to ensure the needed trace 
inclusion. 

We can define a forward simulation relation from UseNewInputA || UseNewInputB to 
UseOldlnputA || UseOldlnputB, which is based on the equality of the next = infty predicate 
of the implementation and the specification automata. The fact that this simulation 
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signature 

output a, input b 
states 

maxout: Nat, now: Real := 0, next: 
transitions 
output a 
pre 

(maxout > 0) A (now = next) 
eff 

maxout := maxout - 1; 

next := infty 
trajectories 
stop when 
now = next 
evolve 

d(now) = 1 


AugmentedReal := 0 

input b 
eff 

if next = infty 
then next := now + 1 


signature 

input a, output b 
states 

maxout: Nat, now: Real := 0, 
transitions 
input a 
eff 

if next = infty 
then next := now + 1 


trajectories 
stop when 
now = next 
evolve 

d(now) = 1 


next: AugmentedReal := infty 

output b 
pre 

(maxout > 0) A (now = next) 
eff 

maxout := maxout - 1; 
next := infty 


Figure 20: UseOldlnputA and UseOldlnputB. 


relation only uses the predicate next = infty reinforces the idea that the auxiliary contexts, 
which only keep track of their turn, capture exactly what is needed for the proof of 
UseNewInputA j| UseNewInputB < UseOldlnputA || UseOldlnputB. We can observe that a 
direct proof of this assertion would require one to deal with state variables such as maxout 
and next of both UseOldlnputA and UseOldlnputB which do not play any essential role in 
the proof. On the other hand, by decomposing the proof along the lines of Corollary 7.8 
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signature 

output a, input b 
states 

maxout: Nat, now: Real := 0, next: AugmentedReal := 0 
transitions 

output a input b 

pre eff 

(maxout > 0) A (now = next) next := now + 1 

eff 

maxout := maxout - 1; 
next := infty 
trajectories 
stop when 
now = next 
evolve 

d(now) = 1 


signature 

input a, output b 
states 

maxout: Nat, now: Real := 0, 
transitions 
input a 
eff 

next := now + 1 


trajectories 
stop when 
now = next 
evolve 

d(now) = 1 


next: AugmentedReal := infty 

output b 
pre 

(maxout > 0) A (now = next) 
eff 

maxout := maxout - 1; 
next := infty 


Figure 21: UseNewInputA and UseNewInputB. 


some of the unnecessary details can be avoided. Even though, this is a toy example with 
an easy proof it should not be hard to observe how this simplification would scale to large 
proofs. □ 
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7.1.3 Composition of Special Kinds of TIOAs 

The following example illustrates that the set of I/O feasible TIOAs is not closed under 
composition: 

Example 7.11 (Two I/O feasible TIOAs whose composition is not I/O feasible). Consider 
two I/O feasible TIOAs A and B , where Oa = Ib = {a} and Ob = I a = W- Suppose 
that A performs its output a at time 0 and then waits, allowing time to pass, until it 
receives input b. If and when it receives b, it responds with output a without allowing 
any time to pass (and ignoring any inputs that occur before it has a chance to perform its 
output). On the other hand, B starts out waiting, allowing time to pass, until it receives 
input a. If and when it receives a, it responds with output b without allowing time to 
pass. 

It is not difficult to see that A and B are individually I/O feasible. We claim that the 
composition A\\B is not I/O feasible. To see this, consider the start state of A\\B and the 
unique input sequence /3 with (3.ltime = oo; /3 simply allows time to pass to infinity. The 
composition A\\B has no way of accommodating this input, since it will never allow time 
to pass beyond 0. □ 

On the other hand, the following theorems say that the classes of progressive and 
receptive TIOAs are closed under composition: 

Theorem 7.12 If A\ and A -2 are compatible progressive TIOAs, then their composition 
is also progressive. 

Proof: The proof is similar to the proof of Theorem 7.4 in [6]. The main idea behind the 
proof is that a Zeno execution of A\ || A 2 with infinitely many locally controlled contains 
infinitely many locally controlled actions of either A\ or A- 2 - Suppose without loss of 
generality that the automaton that contributes infinitely many locally controlled actions 
is Ai. Then the projection onto A\ violates progressiveness for A\. □ 


Theorem 7.13 Let A\ and A 2 be two compatible TIOAs with strategies A/ and A 2 , 
respectively. Then A^jA^ is a strategy for A 1 HA 2 . 

Proof: Straightforward. The proof is similar to the proof of Theorem 7.7 in [6]. □ 

Now, we can state the main result of this section, which follows easily from the previous 
two theorems. It shows that the class of receptive TIOAs is closed under composition. 

Theorem 7.14 Let A\ and A 2 be two compatible receptive TIOAs with progressive strate¬ 
gies A[ and A 2 , respectively. Then A 1 IIA 2 is a receptive TIOA with progressive strategy 
A'i || A 2 . 
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Example 7.15 (Composition of receptive TIOAs). Theorem 7.14 implies that the compo¬ 
sition of clock synchronization automata with channel automata described in Example 5.7 
(viewed as TIOAs as explained in Example 6.1) is receptive. By Theorem 6.6 we also have 
that it is I/O feasible. □ 

Actually, the fact that the set of I/O feasible TIOAs is not closed under composition 
motivated the definition of the more restrictive class of receptive TIOAs. That is, recep¬ 
tiveness is a reasonable sufficient condition that implies I/O feasibility, and that also is 
preserved by composition. 

The special case of the HIOA model, represented by the TIOA model, has simpler and 
stronger composition theorems than the general HIOA model. In particular, the main 
compositionality result for receptive HIOAs (Theorem 7.12 in [6]) has a more intricate 
proof than ours. It makes an assumption about the existence of strongly compatible 
strategies (discussed briefly at the end of Section 7.1.1) and needs an additional lemma 
that shows that if two HIOAs A\ and A 2 have strongly compatible strategies A\ and Al 2 , 
then A\ and A 2 are also strongly compatible. 


7.2 Hiding 

We extend the definition of action hiding to any TIOA A. For TIOAs, we consider 
hiding outputs only (but not inputs), by converting them to internal actions. Namely, if 
O C 0_a, then ActHide(0, .4,) is the TIOA B that is equal to A except that Og = Oa — O 
and Hts = FT 4 U O. 

Lemma 7.16 If A is a TIOA and O C Oa then ActHide(0, *4) is a TIOA. 

Lemma 7.17 If A is a TIOA and O C Oa then traces A ct Hid e (o, A) = {ft \{Oa ~ 0>Va) j 
P G traces a}- 

Theorem 7.18 Suppose A and B are TIOAs with A < B, and suppose O C Oa■ Then 
ActHide(0, A) < ActHide(0, B). 
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8 Conclusions and Future Work 


In this monograph, we have presented a new framework for describing and analyzing the 
behavior of timed systems. This framework is a mathematical framework that uses timed 
I/O automata for the representation of systems. The TIOA framework is a special case 
of the hybrid I/O automaton modeling framework [6]. We used what we have learned in 
developing the HIOA framework to revise the earlier work on timed I/O automaton models. 
Our main motivation was to have a timed I/O automaton model that is compatible with 
the new HIOA model. We sought to benefit from the new style used in describing hybrid 
behavior in simplifying the prior definitions and results on timed I/O automata. 

Designers of real-time systems or timing-based algorithms can use the TIOA framework 
to describe complex systems and to decompose them into manageable pieces. In partic¬ 
ular, they can use the TIOA framework to describe their systems at multiple levels of 
abstraction, to establish implementation relationships between these levels and to decom¬ 
pose their systems into more primitive, interacting components. Although the framework 
as presented in this monograph provides only conceptual tools for modeling, and manual 
proof methods, it also is a natural basis for building computerized modeling and analysis. 

We are currently working on the development of a toolset based on this mathematical 
framework that will consist of: (a) a formal modeling language called TIOA, (b) a front- 
end processor for TIOA, incorporating syntax and static semantic checking, and providing 
interfaces to computer-aided design tools, (c) a simulation tool allowing simulation of 
specifications and paired simulations of a specification and an abstract implementation, 
and (d) a theorem-proving link through an interface to the theorem-prover PVS [58]. We 
refer to [5, 36, 37, 38] for more information on the TIOA toolset. The described project 
builds upon our prior work on the IOA language [59]. 

On the theoretical side, we have done preliminary research toward extending the TIOA 
framework with support for reasoning about safety and liveness properties of timed sys¬ 
tems. We have defined notions of fairness and proved results that state under which 
conditions the “fair” traces of a TIOA can be shown to be included in the fair traces of 
another. We have started investigating the consequences of composition on automata with 
liveness properties and the use of receptiveness and strategies in this context [60]. In [61], 
we study urgency predicates as an alternative to the stop when clauses that are used 
in this monograph for the specification of progress properties. The results of these lines 
of preliminary work are not included in this version of the monograph because the ade¬ 
quacy of our definitions and methods are yet to be assessed on a larger class of non-trivial 
examples. 

We will also continue our work on establishing formal relationships with other models 
that are comparable to ours, showing that the TIOA framework is general enough to 
express previous results from other frameworks, such as [7, 8, 9, 10, 11, 12]. 
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Clock, 69 

Clock and manager problem, 69 
clock synchronization, 33, 47 
ClockSync, 33, 62, 79 
compact element of a cpo, 16 
comparable, 82 
TA, 43 

compatible, 84 
TA, 59 

complete partial order (cpo), 15 
algebraic cpo, 16 
compact element, 16 
composition, 9, 59, 84 
continuous, 16 

cpo, see complete partial order 

discrete action, 25 
discrete transition, 25 
discrete variable, 18, 28 
dynamic type, 17 


effect, 28 
enabled, 25 
execution, 36, 79 
PeriodicSend, 37 
Timeout, 38 

execution fragment, 36, 37, 79 
feasible, 79 

FIN, see finite internal nondeterminism 
finite internal nondeterminism (FIN), 41, 88 
Fischer’s mutual exclusion, 31, 39, 76 
FischerME, 31 
FischerME, 76 

forward simulation, see simulation relation 
clock synchronization, 47 
time-bounded channels, 46 

hiding, 68 
HIOA, 10, 85 
history relation, 53, 54, 83 
history variable, 53, 54 

time-bounded channels, 53 
hybrid automaton, 26, 59 
Hybrid I/O Automaton modeling framework, 
10, 96 

hybrid sequence, 21, 22 
admissible, 22 
closed, 22 
concatenation, 23 
limit time, 22 
prefix, 23 
time-bounded, 22 
Zeno, 22 
HyTech, 12 

I/O feasibility, 95 
I/O feasible, 79, 94 
implementation, 9, 43 
invariant, 36 

clock agreement, 63 
clock validity, 63 
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ClockSync, 63 
failure and timeout, 61 
FischerME, 39 
TimedCliannel, 39 
timeout, 61 

Kronos, 12 

limit of a chain, 16 
linear hybrid automaton, 12 
locally Zeno, 79 

Manager, 69 
monotone, 16 

non-Zeno, 22, 24 

parallel composition, see composition 
partial order, 15 

complete partial order, 15 
periodic sending process, 29, 37 
periodic sending process with failures, 30 
PeriodicSend, 29, 60 
PeriodicSend2, 30, 61 
point trajectory, see trajectory 
precondition, 28 
prefix, 15 
progressive, 80, 82 
prophecy relation, 56, 83 
prophecy variable, 56, 57 

reachable, 36 
receptive, 82, 95 
receptiveness, 9, 81, 95 
refinement, 48 

sequence, 14 

simulation relation, 9, 43 

backward simulation, 44, 49, 51, 83 
forward simulation, 44 j 83 
refinement, 48 
Specification, 69 
static type, 17 
strategy, 81, 81 


substitutivity, 64, 65, 85, 86 
System, 69 

TA, see timed automaton 
TA with bounds, 69, 71 
task, 69, 71 

lower bound, 71 
upper bound, 72 
time axis, 17 
time interval, 17 
closed, 17 
left-closed, 17 
right-closed, 17 

time-bounded channel, 28, 38, 46, 53 
timed automaton (TA), 25 
timed automaton model, 25 
Timed I/O automaton (TIOA), 9, 78 
Timed Input/Output Automaton modeling 
framework, 8 

TimedChannel, 28, 60, 61, 79 
Timeout, 61 
Timeout, 30, 60 
timeout process, 30, 38 
timing-independent, /£, 88 
TIOA, see Timed I/O automaton 
trace, 9, 37, 79 

PeriodicSend, 37 
Timeout, 38 
trace fragment, 37, 79 
trajectory, 19, 25 
closed, 20 
concatenation, 21 
full, 20 
limit time, 20 
open, 20 

point trajectory, 19, 22 
prefix, 20 

Uppaal, 12 
UseNewInputA, 91 
UseNewInputB, 91 
UseOldlnputA, 91 
UseOldlnputB, 91 


104 



variables, 17, 19, 25 
analog, 18 
discrete, 18 
dynamic types, 17 
static type, 17 

weak isomorphism, 49 

Zeno, 9, 22, 40 
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